set compileForOverlayEval true for java

.bazelrc

@@ -30,9 +30,6 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 
-# we only configure a nightly toolchain
-common --@rules_rust//rust/toolchain/channel=nightly
-
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
 common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
 

.github/copilot-instructions.md

@@ -1,4 +0,0 @@
-When reviewing code:
-* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
-* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
-  well enough to make comments in these languages. You can still check for typos or comment improvements.

.github/workflows/build-ripunzip.yml

@@ -6,21 +6,21 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v2.0.2
+        default: v1.2.1
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.5.0
+        default: openssl-3.3.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
+        os: [ubuntu-22.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           repository: google/ripunzip
           ref: ${{ inputs.ripunzip-version }}
@@ -28,7 +28,7 @@ jobs:
       # see https://github.com/sfackler/rust-openssl/issues/183
       - if: runner.os == 'Linux'
         name: checkout openssl
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           repository: openssl/openssl
           path: openssl

.github/workflows/buildifier.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Check bazel formatting
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:

.github/workflows/check-change-note.yml

@@ -16,6 +16,7 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
+      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:

.github/workflows/check-implicit-this.yml

@@ -16,7 +16,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Check that implicit this warnings is enabled for all packs
         shell: bash
         run: |

.github/workflows/check-overlay-annotations.yml

@@ -1,23 +0,0 @@
-name: Check overlay annotations
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-
-permissions:
-  contents: read
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - name: Check overlay annotations
-        run: python config/add-overlay-annotations.py --check java
-

.github/workflows/check-qldoc.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
 

.github/workflows/check-query-ids.yml

@@ -19,6 +19,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py

.github/workflows/codegen.yml

@@ -0,0 +1,34 @@
+name: Codegen
+
+on:
+  pull_request:
+    paths:
+      - "misc/bazel/**"
+      - "misc/codegen/**"
+      - "*.bazel*"
+      - .github/workflows/codegen.yml
+      - .pre-commit-config.yaml
+    branches:
+      - main
+      - rc/*
+      - codeql-cli-*
+
+permissions:
+  contents: read
+
+jobs:
+  codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'misc/codegen/.python-version'
+      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+        name: Check that python code is properly formatted
+        with:
+          extra_args: autopep8 --all-files
+      - name: Run codegen tests
+        shell: bash
+        run: |
+          bazel test //misc/codegen/...

.github/workflows/codeql-analysis.yml

@@ -34,10 +34,10 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 9.0.300
+        dotnet-version: 9.0.100
 
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/compile-queries.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest-xl
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
         with:

.github/workflows/cpp-swift-analysis.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/csharp-qltest.yml

@@ -36,26 +36,26 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 9.0.300
+          dotnet-version: 9.0.100
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: ./csharp/actions/create-extractor-pack
       - name: Run stub generator tests
         run: |
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/csv-coverage-metrics.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database
@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Create empty database

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -35,11 +35,11 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: merge
       - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           fetch-depth: 2
           path: base

.github/workflows/csv-coverage-pr-comment.yml

@@ -24,7 +24,7 @@ jobs:
         GITHUB_CONTEXT: ${{ toJSON(github.event) }}
       run: echo "$GITHUB_CONTEXT"
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
     - name: Set up Python 3.8
       uses: actions/setup-python@v4
       with:

.github/workflows/csv-coverage-timeseries.yml

@@ -12,11 +12,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: codeqlModels
           fetch-depth: 0

.github/workflows/csv-coverage-update.yml

@@ -21,7 +21,7 @@ jobs:
           GITHUB_CONTEXT: ${{ toJSON(github.event) }}
         run: echo "$GITHUB_CONTEXT"
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: ql
           fetch-depth: 0

.github/workflows/csv-coverage.yml

@@ -16,11 +16,11 @@ jobs:
 
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: script
       - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: codeqlModels
           ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}

.github/workflows/fast-forward.yml

@@ -26,7 +26,7 @@ jobs:
           exit 1
 
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Git config
         shell: bash

.github/workflows/go-tests-other-os.yml

@@ -0,0 +1,36 @@
+name: "Go: Run Tests - Other OS"
+on:
+  pull_request:
+    paths:
+      - "go/**"
+      - "!go/documentation/**"
+      - "!go/ql/**" # don't run other-os if only ql/ files changed
+      - .github/workflows/go-tests-other-os.yml
+      - .github/actions/**
+      - codeql-workspace.yml
+      - MODULE.bazel
+      - .bazelrc
+      - misc/bazel/**
+
+permissions:
+  contents: read
+
+jobs:
+  test-mac:
+    name: Test MacOS
+    runs-on: macos-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test
+
+  test-win:
+    if: github.repository_owner == 'github'
+    name: Test Windows
+    runs-on: windows-latest-xl
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test

.github/workflows/go-tests-rtjo.yml

@@ -0,0 +1,22 @@
+name: "Go: Run RTJO Tests"
+on:
+  pull_request:
+    types:
+      - labeled
+
+permissions:
+  contents: read
+
+jobs:
+  test-linux:
+    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
+    name: RTJO Test Linux (Ubuntu)
+    runs-on: ubuntu-latest-xl
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run tests
+        uses: ./go/actions/test
+        with:
+          run-code-checks: true
+          dynamic-join-order-mode: all

.github/workflows/go-tests.yml

@@ -1,6 +1,6 @@
 name: "Go: Run Tests"
 on:
-  pull_request:
+  push:
     paths:
       - "go/**"
       - "!go/documentation/**"
@@ -8,6 +8,17 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "go/**"
+      - "!go/documentation/**"      
+      - "shared/**"
+      - .github/workflows/go-tests.yml
+      - .github/actions/**
+      - codeql-workspace.yml
       - MODULE.bazel
       - .bazelrc
       - misc/bazel/**
@@ -22,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Run tests
         uses: ./go/actions/test
         with:

.github/workflows/kotlin-build.yml

@@ -20,7 +20,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - run: |
           bazel query //java/kotlin-extractor/...
           # only build the default version as a quick check that we can build from `codeql`

.github/workflows/mad_modelDiff.yml

@@ -28,12 +28,12 @@ jobs:
         slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
     steps:
       - name: Clone github/codeql from PR
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         if: github.event.pull_request
         with:
           path: codeql-pr
       - name: Clone github/codeql from main
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: codeql-main
           ref: main
@@ -68,7 +68,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
             mkdir -p $MODELS/$SHORTNAME
             mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
             cd ..

.github/workflows/mad_regenerate-models.yml

@@ -30,11 +30,11 @@ jobs:
             ref: "placeholder"
     steps:
       - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Setup CodeQL binaries
         uses: ./.github/actions/fetch-codeql
       - name: Clone repositories
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           path: repos/${{ matrix.ref }}
           ref: ${{ matrix.ref }}

.github/workflows/python-tooling.yml

@@ -1,35 +0,0 @@
-name: Python tooling
-
-on:
-  pull_request:
-    paths:
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "misc/scripts/models-as-data/bulk_generate_mad.py"
-      - "*.bazel*"
-      - .github/workflows/codegen.yml
-      - .pre-commit-config.yaml
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  check-python-tooling:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        name: Check that python code is properly formatted
-        with:
-          extra_args: black --all-files
-      - name: Run codegen tests
-        shell: bash
-        run: |
-          bazel test //misc/codegen/...

.github/workflows/qhelp-pr-preview.yml

@@ -43,7 +43,7 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 2
           persist-credentials: false

.github/workflows/ql-for-ql-build.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Find codeql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -25,7 +25,7 @@ jobs:
           - github/codeql
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - name: Find codeql
         id: find-codeql
@@ -46,14 +46,14 @@ jobs:
         env:
           CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
       - name: Create database
         run: |
           "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}" \
+          --search-path "${{ github.workspace }}"
           --threads 4 \
             --language ql --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"
@@ -75,7 +75,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
         with:
           name: measurements

.github/workflows/ql-for-ql-tests.yml

@@ -24,7 +24,7 @@ jobs:
   qltest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Find codeql
         id: find-codeql
         uses: github/codeql-action/init@main
@@ -64,7 +64,7 @@ jobs:
     needs: [qltest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |

.github/workflows/query-list.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Clone self (github/codeql)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
       with:
         path: codeql 
     - name: Set up Python 3.8
@@ -31,7 +31,7 @@ jobs:
       with:
         python-version: 3.8
     - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
       uses: ./codeql/.github/actions/fetch-codeql
     - name: Build code scanning query list
       run: |

.github/workflows/ruby-build.yml

@@ -47,7 +47,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Install GNU tar
         if: runner.os == 'macOS'
         run: |
@@ -113,7 +113,7 @@ jobs:
     if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Cache compilation cache
@@ -146,7 +146,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, compile-queries]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
         with:
           name: ruby.dbscheme
@@ -209,7 +209,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [package]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Fetch CodeQL
         uses: ./.github/actions/fetch-codeql
 

.github/workflows/ruby-dataset-measure.yml

@@ -30,14 +30,14 @@ jobs:
         repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
 
       - uses: ./.github/actions/fetch-codeql
 
       - uses: ./ruby/actions/create-extractor-pack
 
       - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           repository: ${{ matrix.repo }}
           path: ${{ github.workspace }}/repo
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: measure
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: actions/download-artifact@v4
         with:
           path: stats

.github/workflows/ruby-qltest-rtjo.yml

@@ -25,7 +25,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache
@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   qlupgrade:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - name: Check DB upgrade scripts
         run: |
@@ -58,7 +58,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./ruby/actions/create-extractor-pack
       - name: Cache compilation cache
@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/rust-analysis.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
 
     - name: Query latest nightly CodeQL bundle
       shell: bash

.github/workflows/rust.yml

@@ -30,7 +30,7 @@ jobs:
         working-directory: rust/ast-generator
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Inject sources
         shell: bash
         run: |
@@ -53,7 +53,7 @@ jobs:
         working-directory: rust/extractor
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Format
         shell: bash
         run: |
@@ -69,7 +69,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
       - name: Install CodeQL
         uses: ./.github/actions/fetch-codeql
       - name: Code generation

.github/workflows/swift.yml

@@ -32,11 +32,11 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-15-xlarge]
+        runner: [ubuntu-latest, macos-13-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Setup (Linux)
         if: runner.os == 'Linux'
         run: |
@@ -53,7 +53,7 @@ jobs:
   clang-format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that python code is properly formatted
         with:
@@ -61,7 +61,7 @@ jobs:
   codegen:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that QL generated code was checked in
@@ -77,6 +77,6 @@ jobs:
   check-no-override:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Check that no override is present in load.bzl
         run: bazel test ... --test_tag_filters=override --test_output=errors

.github/workflows/sync-files.yml

@@ -17,7 +17,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Check synchronized files
         run: python config/sync-files.py
       - name: Check dbscheme fragments

.github/workflows/tree-sitter-extractor-test.yml

@@ -30,7 +30,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt -- --check
       - name: Run tests
@@ -38,12 +38,12 @@ jobs:
   fmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt --check
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - name: Run clippy
         run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments

.github/workflows/validate-change-notes.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
 
       - name: Setup CodeQL
         uses: ./.github/actions/fetch-codeql
@@ -31,4 +31,4 @@ jobs:
       - name: Fail if there are any errors with existing change notes
 
         run: |
-          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
+          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental

.github/workflows/zipmerge-test.yml

@@ -18,6 +18,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
       - run: |
           bazel test //misc/bazel/internal/zipmerge:test --test_output=all

.gitignore

@@ -62,7 +62,6 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
-/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -72,10 +71,3 @@ node_modules/
 
 # cargo build directory
 /target
-
-# some upgrade/downgrade checks create these files
-**/upgrades/*/*.dbscheme.stats
-**/downgrades/*/*.dbscheme.stats
-
-# Mergetool files
-*.orig

.pre-commit-config.yaml

@@ -1,7 +1,5 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-default_language_version:
-  python: python3.12
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
@@ -9,18 +7,18 @@ repos:
       - id: trailing-whitespace
         exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
     hooks:
       - id: clang-format
 
-  - repo: https://github.com/psf/black
-    rev: 25.1.0
+  - repo: https://github.com/pre-commit/mirrors-autopep8
+    rev: v2.0.4
     hooks:
-      - id: black
-        files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
+      - id: autopep8
+        files: ^misc/codegen/.*\.py
 
   - repo: local
     hooks:

CODEOWNERS

@@ -1,7 +1,3 @@
-# Catch-all for anything which isn't matched by a line lower down
-* @github/code-scanning-alert-coverage
-
-# CodeQL language libraries
 /actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
@@ -11,10 +7,8 @@
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
-/ql/ @github/codeql-ql-for-ql-reviewers
 /ruby/ @github/codeql-ruby
 /rust/ @github/codeql-rust
-/shared/ @github/codeql-shared-libraries-reviewers
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
@@ -22,8 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/**/quantum/ @github/ps-codeql
-/shared/quantum/ @github/ps-codeql
+**/experimental/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
@@ -31,6 +24,9 @@
 /docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 
+# QL for QL reviewers
+/ql/ @github/codeql-ql-for-ql-reviewers
+
 # Bazel (excluding BUILD.bazel files)
 MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers

Cargo.toml

@@ -10,4 +10,8 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
-exclude = ["mad-generation-build"]
+
+[patch.crates-io]
+# patch for build script bug preventing bazel build
+# see https://github.com/rust-lang/rustc_apfloat/pull/17
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }

MODULE.bazel

@@ -14,8 +14,8 @@ local_path_override(
 
 # see https://registry.bazel.build/ for a list of available packages
 
-bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_go", version = "0.56.1")
+bazel_dep(name = "platforms", version = "0.0.11")
+bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
@@ -24,11 +24,11 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.63.0")
+bazel_dep(name = "rules_rust", version = "0.58.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -37,11 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
-# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
-# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
-# required in this repo
-RUST_VERSION = "nightly/2025-08-01"
+RUST_VERSION = "1.85.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -51,29 +47,6 @@ rust.toolchain(
         "x86_64-apple-darwin",
         "aarch64-apple-darwin",
     ],
-    # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
-    sha256s = {
-        "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
-        "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
-        "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
-        "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
-        "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
-        "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
-        "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
-        "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
-        "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
-        "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
-        "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
-        "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
-        "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
-        "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
-        "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
-        "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
-        "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
-        "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
-        "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
-        "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
-    },
     versions = [RUST_VERSION],
 )
 use_repo(rust, "rust_toolchains")
@@ -89,8 +62,8 @@ use_repo(
     "vendor_py__cc-1.2.14",
     "vendor_py__clap-4.5.30",
     "vendor_py__regex-1.11.1",
-    "vendor_py__tree-sitter-0.24.7",
-    "vendor_py__tree-sitter-graph-0.12.0",
+    "vendor_py__tree-sitter-0.20.4",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )
 
 # deps for ruby+rust
@@ -98,60 +71,59 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__anyhow-1.0.97",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.104.0",
-    "vendor_ts__chrono-0.4.42",
-    "vendor_ts__clap-4.5.48",
+    "vendor_ts__chalk-ir-0.100.0",
+    "vendor_ts__chrono-0.4.40",
+    "vendor_ts__clap-4.5.35",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.2",
-    "vendor_ts__glob-0.3.3",
-    "vendor_ts__globset-0.4.16",
+    "vendor_ts__flate2-1.1.0",
+    "vendor_ts__glob-0.3.2",
+    "vendor_ts__globset-0.4.15",
     "vendor_ts__itertools-0.14.0",
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.101",
-    "vendor_ts__quote-1.0.41",
-    "vendor_ts__ra_ap_base_db-0.0.301",
-    "vendor_ts__ra_ap_cfg-0.0.301",
-    "vendor_ts__ra_ap_hir-0.0.301",
-    "vendor_ts__ra_ap_hir_def-0.0.301",
-    "vendor_ts__ra_ap_hir_expand-0.0.301",
-    "vendor_ts__ra_ap_hir_ty-0.0.301",
-    "vendor_ts__ra_ap_ide_db-0.0.301",
-    "vendor_ts__ra_ap_intern-0.0.301",
-    "vendor_ts__ra_ap_load-cargo-0.0.301",
-    "vendor_ts__ra_ap_parser-0.0.301",
-    "vendor_ts__ra_ap_paths-0.0.301",
-    "vendor_ts__ra_ap_project_model-0.0.301",
-    "vendor_ts__ra_ap_span-0.0.301",
-    "vendor_ts__ra_ap_stdx-0.0.301",
-    "vendor_ts__ra_ap_syntax-0.0.301",
-    "vendor_ts__ra_ap_vfs-0.0.301",
-    "vendor_ts__rand-0.9.2",
-    "vendor_ts__rayon-1.11.0",
-    "vendor_ts__regex-1.11.3",
-    "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.145",
-    "vendor_ts__serde_with-3.14.1",
-    "vendor_ts__syn-2.0.106",
-    "vendor_ts__toml-0.9.7",
+    "vendor_ts__num_cpus-1.16.0",
+    "vendor_ts__proc-macro2-1.0.94",
+    "vendor_ts__quote-1.0.40",
+    "vendor_ts__ra_ap_base_db-0.0.273",
+    "vendor_ts__ra_ap_cfg-0.0.273",
+    "vendor_ts__ra_ap_hir-0.0.273",
+    "vendor_ts__ra_ap_hir_def-0.0.273",
+    "vendor_ts__ra_ap_hir_expand-0.0.273",
+    "vendor_ts__ra_ap_hir_ty-0.0.273",
+    "vendor_ts__ra_ap_ide_db-0.0.273",
+    "vendor_ts__ra_ap_intern-0.0.273",
+    "vendor_ts__ra_ap_load-cargo-0.0.273",
+    "vendor_ts__ra_ap_parser-0.0.273",
+    "vendor_ts__ra_ap_paths-0.0.273",
+    "vendor_ts__ra_ap_project_model-0.0.273",
+    "vendor_ts__ra_ap_span-0.0.273",
+    "vendor_ts__ra_ap_stdx-0.0.273",
+    "vendor_ts__ra_ap_syntax-0.0.273",
+    "vendor_ts__ra_ap_vfs-0.0.273",
+    "vendor_ts__rand-0.9.0",
+    "vendor_ts__rayon-1.10.0",
+    "vendor_ts__regex-1.11.1",
+    "vendor_ts__serde-1.0.219",
+    "vendor_ts__serde_json-1.0.140",
+    "vendor_ts__serde_with-3.12.0",
+    "vendor_ts__syn-2.0.100",
+    "vendor_ts__toml-0.8.20",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.25.9",
-    "vendor_ts__tree-sitter-embedded-template-0.25.0",
+    "vendor_ts__tracing-subscriber-0.3.19",
+    "vendor_ts__tree-sitter-0.24.6",
+    "vendor_ts__tree-sitter-embedded-template-0.23.2",
     "vendor_ts__tree-sitter-json-0.24.8",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
-    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -172,7 +144,7 @@ http_archive(
 )
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.300")
+dotnet.toolchain(dotnet_version = "9.0.100")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")
@@ -221,6 +193,10 @@ use_repo(
     kotlin_extractor_deps,
     "codeql_kotlin_defaults",
     "codeql_kotlin_embeddable",
+    "kotlin-compiler-1.5.0",
+    "kotlin-compiler-1.5.10",
+    "kotlin-compiler-1.5.20",
+    "kotlin-compiler-1.5.30",
     "kotlin-compiler-1.6.0",
     "kotlin-compiler-1.6.20",
     "kotlin-compiler-1.7.0",
@@ -232,8 +208,10 @@ use_repo(
     "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-2.2.0-Beta1",
-    "kotlin-compiler-2.2.20-Beta2",
+    "kotlin-compiler-embeddable-1.5.0",
+    "kotlin-compiler-embeddable-1.5.10",
+    "kotlin-compiler-embeddable-1.5.20",
+    "kotlin-compiler-embeddable-1.5.30",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -245,8 +223,10 @@ use_repo(
     "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-2.2.0-Beta1",
-    "kotlin-compiler-embeddable-2.2.20-Beta2",
+    "kotlin-stdlib-1.5.0",
+    "kotlin-stdlib-1.5.10",
+    "kotlin-stdlib-1.5.20",
+    "kotlin-stdlib-1.5.30",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -258,35 +238,33 @@ use_repo(
     "kotlin-stdlib-2.0.20-Beta2",
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
-    "kotlin-stdlib-2.2.0-Beta1",
-    "kotlin-stdlib-2.2.20-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.25.0")
+go_sdk.download(version = "1.24.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
+lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-linux",
-    src = "//misc/ripunzip:ripunzip-Linux.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-linux"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-windows",
-    src = "//misc/ripunzip:ripunzip-Windows.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-macos",
-    src = "//misc/ripunzip:ripunzip-macOS.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-macos"],
+    executable = True,
 )
 
 register_toolchains(

actions/extractor/codeql-extractor.yml

@@ -1,17 +1,14 @@
 name: "actions"
+aliases: []
 display_name: "GitHub Actions"
 version: 0.0.1
 column_kind: "utf16"
 unicode_newlines: true
 build_modes:
   - none
-default_queries:
-  - codeql/actions-queries
-# Actions workflows are not reported separately by the GitHub API, so we can't
-# associate them with a specific language.
+file_coverage_languages: []
 github_api_languages: []
-scc_languages:
-  - YAML
+scc_languages: []
 file_types:
   - name: workflow
     display_name: GitHub Actions workflow files

actions/extractor/tools/baseline-config.json

@@ -1,10 +0,0 @@
-{
-    "paths": [
-        ".github/workflows/*.yml",
-        ".github/workflows/*.yaml",
-        ".github/reusable_workflows/**/*.yml",
-        ".github/reusable_workflows/**/*.yaml",
-        "**/action.yml",
-        "**/action.yaml"
-    ]
-}

actions/extractor/tools/configure-baseline.cmd

@@ -1,2 +0,0 @@
-@echo off
-type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"

actions/extractor/tools/configure-baseline.sh

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"

actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected

@@ -1 +0,0 @@
-

actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected

@@ -1 +0,0 @@
-

actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected

@@ -1,18 +0,0 @@
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected

@@ -1,28 +0,0 @@
-ql/actions/ql/src/Debug/SyntaxError.ql
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
-ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
-ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
-ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected

@@ -1,24 +0,0 @@
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
-ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
-ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
-ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
-ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
-ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
-ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
-ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
-ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
-ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
-ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
-ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
-ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

actions/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -1,17 +0,0 @@
-ql/actions/ql/src/Debug/partial.ql
-ql/actions/ql/src/Models/CompositeActionsSinks.ql
-ql/actions/ql/src/Models/CompositeActionsSources.ql
-ql/actions/ql/src/Models/CompositeActionsSummaries.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
-ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
-ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
-ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
-ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
-ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
-ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
-ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
-ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
-ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
-ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
-ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

actions/ql/integration-tests/query-suite/test.py

@@ -1,14 +0,0 @@
-import runs_on
-import pytest
-from query_suites import *
-
-well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
-
-@runs_on.posix
-@pytest.mark.parametrize("query_suite", well_known_query_suites)
-def test(codeql, actions, check_query_suite, query_suite):
-    check_query_suite(query_suite)
-
-@runs_on.posix
-def test_not_included_queries(codeql, actions, check_queries_not_included):
-    check_queries_not_included('actions', well_known_query_suites)

actions/ql/lib/CHANGELOG.md

@@ -1,62 +1,6 @@
-## 0.4.19
-
-No user-facing changes.
-
-## 0.4.18
-
-No user-facing changes.
-
-## 0.4.17
-
-No user-facing changes.
-
-## 0.4.16
-
-No user-facing changes.
-
-## 0.4.15
-
-No user-facing changes.
-
-## 0.4.14
-
-No user-facing changes.
-
-## 0.4.13
-
-### Bug Fixes
-
-* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
-
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.
-
-## 0.4.11
-
-No user-facing changes.
-
-## 0.4.10
-
-No user-facing changes.
-
-## 0.4.9
-
-No user-facing changes.
-
-## 0.4.8
-
-No user-facing changes.
-
 ## 0.4.7
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+No user-facing changes.
 
 ## 0.4.6
 

actions/ql/lib/change-notes/released/0.4.10.md

@@ -1,3 +0,0 @@
-## 0.4.10
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.11.md

@@ -1,3 +0,0 @@
-## 0.4.11
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.12.md

@@ -1,7 +0,0 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.

actions/ql/lib/change-notes/released/0.4.13.md

@@ -1,5 +0,0 @@
-## 0.4.13
-
-### Bug Fixes
-
-* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.

actions/ql/lib/change-notes/released/0.4.14.md

@@ -1,3 +0,0 @@
-## 0.4.14
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.15.md

@@ -1,3 +0,0 @@
-## 0.4.15
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.16.md

@@ -1,3 +0,0 @@
-## 0.4.16
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.17.md

@@ -1,3 +0,0 @@
-## 0.4.17
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.18.md

@@ -1,3 +0,0 @@
-## 0.4.18
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.19.md

@@ -1,3 +0,0 @@
-## 0.4.19
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.7.md

@@ -1,5 +1,3 @@
 ## 0.4.7
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.8.md

@@ -1,3 +0,0 @@
-## 0.4.8
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.9.md

@@ -1,3 +0,0 @@
-## 0.4.9
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.19
+lastReleaseVersion: 0.4.7

actions/ql/lib/codeql/Locations.qll

@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {
 
   /**
    * Holds if this element is at the specified location.
-   * The location spans column `sc` of line `sl` to
-   * column `ec` of line `el` in file `p`.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
    * For more information, see
    * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */

actions/ql/lib/codeql/actions/Ast.qll

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
   string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
 
-/** An `env` in workflow, job or step. */
-class Env extends AstNode instanceof EnvImpl {
+/** A common class for `env` in workflow, job or step. */
+abstract class Env extends AstNode instanceof EnvImpl {
   /** Gets an environment variable value given its name. */
   ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
 
@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
 }
 
 /**
- * An Environment node representing a deployment environment.
+ * An Environemnt node representing a deployment environment.
  */
 class Environment extends AstNode instanceof EnvironmentImpl {
   string getName() { result = super.getName() }

actions/ql/lib/codeql/actions/Bash.qll

@@ -8,64 +8,35 @@ class BashShellScript extends ShellScript {
     )
   }
 
-  /**
-   * Gets the line at 0-based index `lineIndex` within this shell script,
-   * assuming newlines as separators.
-   */
-  private string lineProducer(int lineIndex) {
-    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
+  private string lineProducer(int i) {
+    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
   }
 
-  private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
-    this.commandInSubstitution(lineIndex, command, id)
-    or
-    this.commandInBackticks(lineIndex, command, id)
-  }
-
-  /**
-   * Holds if there is a command substitution `$(command)` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInSubstitution(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        // Look for the command inside a $(...) command substitution
-        this.lineProducer(lineIndex)
-            .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
-              occurrenceOffset)
-            // trim starting $( - TODO do this in first regex
-            .regexpReplaceAll("^\\$\\(", "")
-            // trim ending ) - TODO do this in first regex
-            .regexpReplaceAll("\\)$", "") and
-      id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
+  private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
+    exists(string line | line = this.lineProducer(k) |
+      exists(int i, int j |
+        cmdSubs =
+          // $() cmd substitution
+          line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
+              .regexpReplaceAll("^\\$\\(", "")
+              .regexpReplaceAll("\\)$", "") and
+        id = "cmdsubs:" + k + ":" + i + ":" + j
+      )
+      or
+      exists(int i, int j |
+        // `...` cmd substitution
+        cmdSubs =
+          line.regexpFind("\\`[^\\`]+\\`", i, j)
+              .regexpReplaceAll("^\\`", "")
+              .regexpReplaceAll("\\`$", "") and
+        id = "cmd:" + k + ":" + i + ":" + j
+      )
     )
   }
 
-  /**
-   * Holds if `command` is a command in backticks `` `...` `` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInBackticks(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        this.lineProducer(lineIndex)
-            .regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
-            // trim leading backtick - TODO do this in first regex
-            .regexpReplaceAll("^\\`", "")
-            // trim trailing backtick - TODO do this in first regex
-            .regexpReplaceAll("\\`$", "") and
-      id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
-    )
-  }
-
-  private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
-    // rank commands by their unique IDs
-    commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
-    // since we cannot output (command, ID) tuples from the rank operation,
-    // we need to work out the specific command associated with the resulting ID
-    this.cmdSubstitutionReplacement(command, commandId, _)
+  private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
+    this.cmdSubstitutionReplacement(old, new, _)
   }
 
   private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -93,56 +64,31 @@ class BashShellScript extends ShellScript {
     this.cmdSubstitutionReplacement(result, _, i)
   }
 
-  /**
-   * Holds if `quotedStr` is a string in double quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // double quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
-  /**
-   * Holds if `quotedStr` is a string in single quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // single quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
   private predicate quotedStringReplacement(string quotedStr, string id) {
-    exists(int lineIndex |
-      this.doubleQuotedString(lineIndex, quotedStr, id)
+    exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
+      exists(int i, int j |
+        // double quoted string
+        quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
       or
-      this.singleQuotedString(lineIndex, quotedStr, id)
+      exists(int i, int j |
+        // single quoted string
+        quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
     ) and
     // Only do this for strings that might otherwise disrupt subsequent parsing
     quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
-  private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
-    // rank quoted strings by their nearly-unique IDs
-    quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
-    // since we cannot output (string, ID) tuples from the rank operation,
-    // we need to work out the specific string associated with the resulting ID
-    this.quotedStringReplacement(quotedString, quotedStringId)
+  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
+    this.quotedStringReplacement(old, new)
   }
 
   private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

actions/ql/lib/codeql/actions/Helper.qll

@@ -72,7 +72,7 @@ string normalizePath(string path) {
       then result = path
       else
         // foo -> GITHUB_WORKSPACE/foo
-        if path.regexpMatch("^[^$/~].*")
+        if path.regexpMatch("^[^/~].*")
         then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
         else
           // ~/foo -> ~/foo

actions/ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -125,11 +125,12 @@ abstract class AstNodeImpl extends TAstNode {
    * Gets the enclosing Step.
    */
   StepImpl getEnclosingStep() {
-    this instanceof StepImpl and
-    result = this
-    or
-    this instanceof ScalarValueImpl and
-    result.getAChildNode*() = this.getParentNode()
+    if this instanceof StepImpl
+    then result = this
+    else
+      if this instanceof ScalarValueImpl
+      then result.getAChildNode*() = this.getParentNode()
+      else none()
   }
 
   /**
@@ -1415,8 +1416,9 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
   override string getVersion() {
     exists(YamlString name |
       n.lookup("uses") = name and
-      not name.getValue().matches("\\.%") and
-      result = name.getValue().regexpCapture(repoUsesParser(), 4)
+      if not name.getValue().matches("\\.%")
+      then result = name.getValue().regexpCapture(repoUsesParser(), 4)
+      else none()
     )
   }
 }

actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll

@@ -286,7 +286,7 @@ private module Cached {
   /**
    * Holds if `cfn` is the `i`th node in basic block `bb`.
    *
-   * In other words, `i` is the shortest distance from a node `bbStart`
+   * In other words, `i` is the shortest distance from a node `bb`
    * that starts a basic block to `cfn` along the `intraBBSucc` relation.
    */
   cached

actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll

@@ -3,8 +3,6 @@ private import codeql.controlflow.Cfg as CfgShared
 private import codeql.Locations
 
 module Completion {
-  import codeql.controlflow.SuccessorType
-
   private newtype TCompletion =
     TSimpleCompletion() or
     TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -27,7 +25,7 @@ module Completion {
 
     override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
 
-    override DirectSuccessor getAMatchingSuccessorType() { any() }
+    override NormalSuccessor getAMatchingSuccessorType() { any() }
   }
 
   class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -51,6 +49,34 @@ module Completion {
 
     override ReturnSuccessor getAMatchingSuccessorType() { any() }
   }
+
+  cached
+  private newtype TSuccessorType =
+    TNormalSuccessor() or
+    TBooleanSuccessor(boolean b) { b in [false, true] } or
+    TReturnSuccessor()
+
+  class SuccessorType extends TSuccessorType {
+    string toString() { none() }
+  }
+
+  class NormalSuccessor extends SuccessorType, TNormalSuccessor {
+    override string toString() { result = "successor" }
+  }
+
+  class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
+    boolean value;
+
+    BooleanSuccessor() { this = TBooleanSuccessor(value) }
+
+    override string toString() { result = value.toString() }
+
+    boolean getValue() { result = value }
+  }
+
+  class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
+    override string toString() { result = "return" }
+  }
 }
 
 module CfgScope {
@@ -101,8 +127,14 @@ private module Implementation implements CfgShared::InputSig<Location> {
     last(scope.(CompositeAction), e, c)
   }
 
+  predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
+
+  predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
+
   SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
 
+  predicate isAbnormalExitType(SuccessorType t) { none() }
+
   int idOfAstNode(AstNode node) { none() }
 
   int idOfCfgScope(CfgScope scope) { none() }

actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
     (
       if fieldName.trim().matches("env.%")
       then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
-      else (
-        fieldName.trim().matches("output.%") and
-        source.asExpr() = uses
-      )
+      else
+        if fieldName.trim().matches("output.%")
+        then source.asExpr() = uses
+        else none()
     )
   )
 }

actions/ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
 class GitHubCtxSource extends RemoteFlowSource {
   string flag;
   string event;
+  GitHubExpression e;
 
   GitHubCtxSource() {
-    exists(GitHubExpression e |
-      this.asExpr() = e and
-      // github.head_ref
-      e.getFieldName() = "head_ref" and
-      flag = "branch"
-    |
+    this.asExpr() = e and
+    // github.head_ref
+    e.getFieldName() = "head_ref" and
+    flag = "branch" and
+    (
       event = e.getATriggerEvent().getName() and
       event = "pull_request_target"
       or
@@ -148,6 +148,7 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
   string cmd;
   string flag;
+  string access_path;
   Run run;
 
   // Examples
@@ -162,7 +163,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
     run.getScript().getACommand() = cmd and
     cmd.matches("jq%") and
     cmd.matches("%GITHUB_EVENT_PATH%") and
-    exists(string regexp, string access_path |
+    exists(string regexp |
       untrustedEventPropertiesDataModel(regexp, flag) and
       not flag = "json" and
       access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and

actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -1,7 +1,6 @@
 private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
-private import codeql.actions.security.ControlChecks
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
 
@@ -19,6 +18,7 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
  */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
   string command;
+  string argument;
 
   ArgumentInjectionFromEnvVarSink() {
     exists(Run run, string var |
@@ -27,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
         exists(run.getInScopeEnvVarExpr(var)) or
         var = "GITHUB_HEAD_REF"
       ) and
-      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
     )
   }
 
@@ -43,12 +43,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
   string command;
+  string argument;
 
   ArgumentInjectionFromCommandSink() {
     exists(CommandSource source, Run run |
       run = source.getEnclosingRun() and
       this.asExpr() = run.getScript() and
-      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
     )
   }
 
@@ -64,16 +65,6 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
   override string getCommand() { result = "unknown" }
 }
 
-/**
- * Gets the event that is relevant for the given node in the context of argument injection.
- *
- * This is used to highlight the event in the query results when an alert is raised.
- */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
-  inPrivilegedContext(node.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -97,16 +88,6 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
       run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -4,7 +4,6 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
-import codeql.actions.security.ControlChecks
 
 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
@@ -125,6 +124,8 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep,
 }
 
 class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
+  string script;
+
   ActionsGitHubScriptDownloadStep() {
     // eg:
     // - uses: actions/github-script@v6
@@ -147,14 +148,12 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
     //      var fs = require('fs');
     //      fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
     this.getCallee() = "actions/github-script" and
-    exists(string script |
-      this.getArgument("script") = script and
-      script.matches("%listWorkflowRunArtifacts(%") and
-      script.matches("%downloadArtifact(%") and
-      script.matches("%writeFileSync(%") and
-      // Filter out artifacts that were created by pull-request.
-      not script.matches("%exclude_pull_requests: true%")
-    )
+    this.getArgument("script") = script and
+    script.matches("%listWorkflowRunArtifacts(%") and
+    script.matches("%downloadArtifact(%") and
+    script.matches("%writeFileSync(%") and
+    // Filter out artifacts that were created by pull-request.
+    not script.matches("%exclude_pull_requests: true%")
   }
 
   override string getPath() {
@@ -171,10 +170,10 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
                 .getScript()
                 .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else (
-      this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) and
-      result = "GITHUB_WORKSPACE/"
-    )
+    else
+      if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
+      then result = "GITHUB_WORKSPACE/"
+      else none()
   }
 }
 
@@ -207,13 +206,12 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
                 .getScript()
                 .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else (
-      (
+    else
+      if
         this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
         this.getScript().getACommand().regexpMatch(unzipRegexp())
-      ) and
-      result = "GITHUB_WORKSPACE/"
-    )
+      then result = "GITHUB_WORKSPACE/"
+      else none()
   }
 }
 
@@ -260,15 +258,13 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
 
 class ArtifactPoisoningSink extends DataFlow::Node {
   UntrustedArtifactDownloadStep download;
+  PoisonableStep poisonable;
 
   ArtifactPoisoningSink() {
-    exists(PoisonableStep poisonable |
-      download.getAFollowingStep() = poisonable and
-      // excluding artifacts downloaded to the temporary directory
-      not download.getPath().regexpMatch("^/tmp.*") and
-      not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
-      not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*")
-    |
+    download.getAFollowingStep() = poisonable and
+    // excluding artifacts downloaded to /tmp
+    not download.getPath().regexpMatch("^/tmp.*") and
+    (
       poisonable.(Run).getScript() = this.asExpr() and
       (
         // Check if the poisonable step is a local script execution step
@@ -294,16 +290,6 @@ class ArtifactPoisoningSink extends DataFlow::Node {
   string getPath() { result = download.getPath() }
 }
 
-/**
- * Gets the event that is relevant for the given node in the context of artifact poisoning.
- *
- * This is used to highlight the event in the query results when an alert is raised.
- */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
-  inPrivilegedContext(node.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(node.asExpr(), result, "artifact-poisoning"))
-}
-
 /**
  * A taint-tracking configuration for unsafe artifacts
  * that is used may lead to artifact poisoning
@@ -330,16 +316,6 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe artifacts that is used in an insecure way. */

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -3,8 +3,6 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
-import codeql.actions.security.ControlChecks
-import codeql.actions.security.CachePoisoningQuery
 
 class CodeInjectionSink extends DataFlow::Node {
   CodeInjectionSink() {
@@ -13,46 +11,6 @@ class CodeInjectionSink extends DataFlow::Node {
   }
 }
 
-/**
- * Get the relevant event for the sink in CodeInjectionCritical.ql.
- */
-Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.asExpr() and
-    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
-  )
-}
-
-/**
- * Get the relevant event for the sink in CachePoisoningViaCodeInjection.ql.
- */
-Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) {
-  exists(LocalJob job |
-    job = sink.asExpr().getEnclosingJob() and
-    job.getATriggerEvent() = result and
-    // job can be triggered by an external user
-    result.isExternallyTriggerable() and
-    // excluding privileged workflows since they can be exploited in easier circumstances
-    // which is covered by `actions/code-injection/critical`
-    not job.isPrivilegedExternallyTriggerable(result) and
-    (
-      // the workflow runs in the context of the default branch
-      runsOnDefaultBranch(result)
-      or
-      // the workflow caller runs in the context of the default branch
-      result.getName() = "workflow_call" and
-      exists(ExternalJob caller |
-        caller.getCallee() = job.getLocation().getFile().getRelativePath() and
-        runsOnDefaultBranch(caller.getATriggerEvent())
-      )
-    )
-  )
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -77,18 +35,6 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantCriticalEventForSink(sink).getLocation()
-    or
-    result = getRelevantCachePoisoningEventForSink(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */

actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll

@@ -3,20 +3,11 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
-import codeql.actions.security.ControlChecks
 
 private class CommandInjectionSink extends DataFlow::Node {
   CommandInjectionSink() { madSink(this, "command-injection") }
 }
 
-/** Get the relevant event for the sink in CommandInjectionCritical.ql. */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["command-injection", "code-injection"])
-  )
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a system command.
@@ -25,16 +16,6 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/ControlChecks.qll

@@ -159,8 +159,11 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {
 
 /* Specific implementations of control checks */
 class LabelIfCheck extends LabelCheck instanceof If {
+  string condition;
+
   LabelIfCheck() {
-    exists(string condition | condition = normalizeExpr(this.getCondition()) |
+    condition = normalizeExpr(this.getCondition()) and
+    (
       // eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
       condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
       or

actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -72,25 +72,6 @@ class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink {
   EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") }
 }
 
-/**
- * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is "artifact".
- */
-Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["untrusted-checkout", "artifact-poisoning"])
-  ) and
-  sink instanceof EnvPathInjectionFromFileReadSink
-}
-
-/**
- * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is not "artifact".
- */
-Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection"))
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.
@@ -127,18 +108,6 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
-    or
-    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */

actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -55,8 +55,12 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
  *          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
  */
 class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
+  CommandSource inCommand;
+  string injectedVar;
+  string command;
+
   EnvVarInjectionFromCommandSink() {
-    exists(Run run, CommandSource inCommand, string injectedVar, string command |
+    exists(Run run |
       this.asExpr() = inCommand.getEnclosingRun().getScript() and
       run = inCommand.getEnclosingRun() and
       run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
@@ -82,8 +86,12 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
  *      echo "FOO=$BODY" >> $GITHUB_ENV
  */
 class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
+  string inVar;
+  string injectedVar;
+  string command;
+
   EnvVarInjectionFromEnvVarSink() {
-    exists(Run run, string inVar, string injectedVar, string command |
+    exists(Run run |
       run.getScript() = this.asExpr() and
       exists(run.getInScopeEnvVarExpr(inVar)) and
       run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and
@@ -118,32 +126,6 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
   EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") }
 }
 
-/**
- * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is "artifact".
- */
-Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check
-        .protects(sink.asExpr(), result,
-          ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
-  ) and
-  (
-    sink instanceof EnvVarInjectionFromFileReadSink or
-    madSink(sink, "envvar-injection")
-  )
-}
-
-/**
- * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is not "artifact".
- */
-Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["envvar-injection", "code-injection"])
-  )
-}
-
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.
@@ -181,18 +163,6 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
       exists(run.getScript().getAFileReadCommand())
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
-    or
-    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
-  }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -99,14 +99,18 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink {
  *          echo $BODY
  */
 class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
+  string clobbering_var;
+  string clobbered_value;
+
   WorkflowCommandClobberingFromEnvVarSink() {
-    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt, string clobbering_var |
+    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt |
       run.getScript() = this.asExpr() and
       run.getScript().getAStmt() = clobbering_stmt and
       clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
       exists(run.getInScopeEnvVarExpr(clobbering_var)) and
       run.getScript().getAStmt() = workflow_cmd_stmt and
-      exists(trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)))
+      clobbered_value =
+        trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1))
     )
   }
 }
@@ -210,10 +214,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -16,10 +16,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -15,10 +15,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll

@@ -1,8 +1,10 @@
 import actions
 
 class UnversionedImmutableAction extends UsesStep {
+  string immutable_action;
+
   UnversionedImmutableAction() {
-    isImmutableAction(this, _) and
+    isImmutableAction(this, immutable_action) and
     not isSemVer(this.getVersion())
   }
 }

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,21 +22,16 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
-      - ["actions/deploy-pages", "pages: write"]
-      - ["actions/deploy-pages", "id-token: write"]
-      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]
+      - ["actions/versions-package-tools", "contents: read"]      
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]
+      - ["actions/reusable-workflows", "contents: read"]      
       - ["actions/reusable-workflows", "actions: read"]
-      - ["actions/ai-inference", "contents: read"]
-      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
-      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-      # No permissions needed for actions/configure-pages
+
+      

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.19
+version: 0.4.8-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,77 +1,5 @@
-## 0.6.11
-
-No user-facing changes.
-
-## 0.6.10
-
-No user-facing changes.
-
-## 0.6.9
-
-### Minor Analysis Improvements
-
-* Actions analysis now reports file coverage information on the CodeQL status page.
-
-## 0.6.8
-
-No user-facing changes.
-
-## 0.6.7
-
-No user-facing changes.
-
-## 0.6.6
-
-No user-facing changes.
-
-## 0.6.5
-
-No user-facing changes.
-
-## 0.6.4
-
-No user-facing changes.
-
-## 0.6.3
-
-No user-facing changes.
-
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
-
-## 0.6.1
-
-No user-facing changes.
-
-## 0.6.0
-
-### Breaking Changes
-
-* The following queries have been removed from the `security-and-quality` suite.
-  They are not intended to produce user-facing
-  alerts describing vulnerabilities.
-  Any existing alerts for these queries will be closed automatically.
-  * `actions/composite-action-sinks`
-  * `actions/composite-action-sources`
-  * `actions/composite-action-summaries`
-  * `actions/reusable-workflow-sinks`
-    (renamed from `actions/reusable-wokflow-sinks`)
-  * `actions/reusable-workflow-sources`
-  * `actions/reusable-workflow-summaries`
-
-### Bug Fixes
-
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
-
 ## 0.5.4
 
-### New Features
-
-* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
-
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql

@@ -1,13 +0,0 @@
-/**
- * @id actions/diagnostics/successfully-extracted-files
- * @name Extracted files
- * @description List all files that were extracted.
- * @kind diagnostic
- * @tags successfully-extracted-files
- */
-
-private import codeql.Locations
-
-from File f
-where exists(f.getRelativePath())
-select f, ""