add overlay[caller] annotations

set compileForOverlayEval true for java
synchronise files
2026-06-05 13:37:06 +02:00 · 2025-04-21 10:09:30 +01:00 · 2025-04-21 10:09:01 +01:00 · 2025-04-21 10:08:59 +01:00 · 2025-04-21 10:08:56 +01:00
14535 changed files with 412343 additions and 1461047 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -11,8 +11,6 @@ build --compilation_mode opt
 common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 build --repo_env=CC=clang --repo_env=CXX=clang++
 # Disable Android SDK auto-detection (we don't use it, and rules_android has Bazel 9 compatibility issues)
 build --repo_env=ANDROID_HOME=
 # print test output, like sembuild does.
 # Set to `errors` if this is too verbose.
@@ -32,11 +30,8 @@ common --registry=https://bcr.bazel.build
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 # we only configure a nightly toolchain
 common --@rules_rust//rust/toolchain/channel=nightly
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
-common --incompatible_autoload_externally="+@rules_cc,+@rules_java,+@rules_shell"
+common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
 build --java_language_version=17
 build --tool_java_language_version=17
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-9.0.0
+8.1.1
--- a/.gitattributes
+++ b/.gitattributes
@@ -82,6 +82,9 @@
 /csharp/paket.main.bzl linguist-generated=true
 /csharp/paket.main_extension.bzl linguist-generated=true
 # ripunzip tool
 /misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
 # swift prebuilt resources
 /swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
 /swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -40,10 +40,3 @@ updates:
      - dependency-name: "*"
    reviewers:
      - "github/codeql-go"
  - package-ecosystem: bazel
    directory: "/"
    schedule:
      interval: weekly
    exclude-paths:
      - "misc/bazel/registry/**"
--- a/.github/instructions/expected-files.instructions.md
+++ b/.github/instructions/expected-files.instructions.md
@@ -1,4 +0,0 @@
 ---
 applyTo: "**/*.expected"
 ---
 Ignore these files. These are generated to be correct by running the tests, and should not be edited manually.
--- a/.github/instructions/ql-files.instructions.md
+++ b/.github/instructions/ql-files.instructions.md
@@ -1,6 +0,0 @@
 ---
 applyTo: "**/*.ql,**/*.qll"
 ---
 When reviewing these QL files, do not make any comment on the code itself. You don't understand the QL programming language well enough yet. You can only make comments about the following aspects:
 * comments (lines starting with `//` or block comments enclosed in `/* ... */`): you can suggest improvements to the clarity of comments, or point out spelling mistakes
 * typos in identifiers
--- a/.github/workflows/build-ripunzip.yml
+++ b/.github/workflows/build-ripunzip.yml
@@ -0,0 +1,74 @@
 name: Build runzip
 on:
  workflow_dispatch:
    inputs:
      ripunzip-version:
        description: "what reference to checktout from google/runzip"
        required: false
        default: v1.2.1
      openssl-version:
        description: "what reference to checkout from openssl/openssl for Linux"
        required: false
        default: openssl-3.3.0
 jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-22.04, macos-13, windows-2019]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
        with:
          repository: google/ripunzip
          ref: ${{ inputs.ripunzip-version }}
      # we need to avoid ripunzip dynamically linking into libssl
      # see https://github.com/sfackler/rust-openssl/issues/183
      - if: runner.os == 'Linux'
        name: checkout openssl
        uses: actions/checkout@v4
        with:
          repository: openssl/openssl
          path: openssl
          ref: ${{ inputs.openssl-version }}
      - if: runner.os == 'Linux'
        name: build and install openssl with fPIC
        shell: bash
        working-directory: openssl
        run: |
          ./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
          make -j $(nproc)
          make install_sw -j $(nproc)
      - if: runner.os == 'Linux'
        name: build (linux)
        shell: bash
        run: |
          env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
          mv target/release/ripunzip ripunzip-linux
      - if: runner.os == 'Windows'
        name: build (windows)
        shell: bash
        run: |
          cargo build --release
          mv target/release/ripunzip ripunzip-windows
      - name: build (macOS)
        if: runner.os == 'macOS'
        shell: bash
        run: |
          rustup target install x86_64-apple-darwin
          rustup target install aarch64-apple-darwin
          cargo build --target x86_64-apple-darwin --release
          cargo build --target aarch64-apple-darwin --release
          lipo -create -output ripunzip-macos \
            -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
            -arch arm64 target/aarch64-apple-darwin/release/ripunzip
      - uses: actions/upload-artifact@v4
        with:
          name: ripunzip-${{ runner.os }}
          path: ripunzip-*
      - name: Check built binary
        shell: bash
        run: |
          ./ripunzip-* --version
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Check bazel formatting
        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        with:
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -16,6 +16,7 @@ on:
      - "shared/**/*.qll"
      - "!**/experimental/**"
      - "!ql/**"
      - "!rust/**"
      - ".github/workflows/check-change-note.yml"
 jobs:
--- a/.github/workflows/check-implicit-this.yml
+++ b/.github/workflows/check-implicit-this.yml
@@ -16,7 +16,7 @@ jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check that implicit this warnings is enabled for all packs
        shell: bash
        run: |
--- a/.github/workflows/check-overlay-annotations.yml
+++ b/.github/workflows/check-overlay-annotations.yml
@@ -1,23 +0,0 @@
 name: Check overlay annotations
 on:
  push:
    branches:
      - main
      - 'rc/*'
  pull_request:
    branches:
      - main
      - 'rc/*'
 permissions:
  contents: read
 jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - name: Check overlay annotations
        run: python config/add-overlay-annotations.py --check java
--- a/.github/workflows/check-qldoc.yml
+++ b/.github/workflows/check-qldoc.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
--- a/.github/workflows/check-query-ids.yml
+++ b/.github/workflows/check-query-ids.yml
@@ -19,6 +19,6 @@ jobs:
    name: Check query IDs
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check for duplicate query IDs
        run: python3 misc/scripts/check-query-ids.py
--- a/.github/workflows/codegen.yml
+++ b/.github/workflows/codegen.yml
@@ -0,0 +1,34 @@
 name: Codegen
 on:
  pull_request:
    paths:
      - "misc/bazel/**"
      - "misc/codegen/**"
      - "*.bazel*"
      - .github/workflows/codegen.yml
      - .pre-commit-config.yaml
    branches:
      - main
      - rc/*
      - codeql-cli-*
 permissions:
  contents: read
 jobs:
  codegen:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v4
        with:
          python-version-file: 'misc/codegen/.python-version'
      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        name: Check that python code is properly formatted
        with:
          extra_args: autopep8 --all-files
      - name: Run codegen tests
        shell: bash
        run: |
          bazel test //misc/codegen/...
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -34,10 +34,10 @@ jobs:
    - name: Setup dotnet
      uses: actions/setup-dotnet@v4
      with:
-        dotnet-version: 10.0.100
+        dotnet-version: 9.0.100
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -0,0 +1,46 @@
 name: "Compile all queries using the latest stable CodeQL CLI"
 on:
  push:
    branches:  # makes sure the cache gets populated - running on the branches people tend to merge into.
      - main
      - "rc/*"
      - "codeql-cli-*"
  pull_request:
    paths:
      - '**.ql'
      - '**.qll'
      - '**/qlpack.yml'
      - '**.dbscheme'
 permissions:
  contents: read
 jobs:
  compile-queries:
    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    steps:
      - uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
        with:
          channel: 'release'
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with: 
          key: all-queries
      - name: check formatting
        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
      - name: compile queries - check-only
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
        shell: bash
        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
      - name: compile queries - full
        # do full compile if running on main - this populates the cache
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/.github/workflows/cpp-swift-analysis.yml
+++ b/.github/workflows/cpp-swift-analysis.yml
@@ -28,7 +28,7 @@ jobs:
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -36,26 +36,26 @@ jobs:
  unit-tests:
    strategy:
      matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-2019]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup dotnet
        uses: actions/setup-dotnet@v4
        with:
-          dotnet-version: 10.0.100
+          dotnet-version: 9.0.100
      - name: Extractor unit tests
        run: |
          dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
        shell: bash
  stubgentest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./csharp/actions/create-extractor-pack
      - name: Run stub generator tests
        run: |
@@ -66,6 +66,6 @@ jobs:
          # Update existing stubs in the repo with the freshly generated ones
          mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
          git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
        env:
          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/csv-coverage-metrics.yml
+++ b/.github/workflows/csv-coverage-metrics.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
@@ -51,7 +51,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -35,11 +35,11 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: merge
      - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          fetch-depth: 2
          path: base
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -24,7 +24,7 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Set up Python 3.8
      uses: actions/setup-python@v4
      with:
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -12,11 +12,11 @@ jobs:
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: codeqlModels
          fetch-depth: 0
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -21,7 +21,7 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: ql
          fetch-depth: 0
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -16,11 +16,11 @@ jobs:
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: codeqlModels
          ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -26,7 +26,7 @@ jobs:
          exit 1
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Git config
        shell: bash
--- a/.github/workflows/go-tests-other-os.yml
+++ b/.github/workflows/go-tests-other-os.yml
@@ -0,0 +1,36 @@
 name: "Go: Run Tests - Other OS"
 on:
  pull_request:
    paths:
      - "go/**"
      - "!go/documentation/**"
      - "!go/ql/**" # don't run other-os if only ql/ files changed
      - .github/workflows/go-tests-other-os.yml
      - .github/actions/**
      - codeql-workspace.yml
      - MODULE.bazel
      - .bazelrc
      - misc/bazel/**
 permissions:
  contents: read
 jobs:
  test-mac:
    name: Test MacOS
    runs-on: macos-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Run tests
        uses: ./go/actions/test
  test-win:
    if: github.repository_owner == 'github'
    name: Test Windows
    runs-on: windows-latest-xl
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Run tests
        uses: ./go/actions/test
--- a/.github/workflows/go-tests-rtjo.yml
+++ b/.github/workflows/go-tests-rtjo.yml
@@ -0,0 +1,22 @@
 name: "Go: Run RTJO Tests"
 on:
  pull_request:
    types:
      - labeled
 permissions:
  contents: read
 jobs:
  test-linux:
    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
    name: RTJO Test Linux (Ubuntu)
    runs-on: ubuntu-latest-xl
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Run tests
        uses: ./go/actions/test
        with:
          run-code-checks: true
          dynamic-join-order-mode: all
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -1,6 +1,6 @@
 name: "Go: Run Tests"
 on:
-  pull_request:
+  push:
    paths:
      - "go/**"
      - "!go/documentation/**"
@@ -8,6 +8,17 @@ on:
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
  pull_request:
    paths:
      - "go/**"
      - "!go/documentation/**"      
      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
      - MODULE.bazel
      - .bazelrc
      - misc/bazel/**
@@ -22,7 +33,7 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Run tests
        uses: ./go/actions/test
        with:
--- a/.github/workflows/kotlin-build.yml
+++ b/.github/workflows/kotlin-build.yml
@@ -20,7 +20,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - run: |
          bazel query //java/kotlin-extractor/...
          # only build the default version as a quick check that we can build from `codeql`
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -28,12 +28,12 @@ jobs:
        slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
    steps:
      - name: Clone github/codeql from PR
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        if: github.event.pull_request
        with:
          path: codeql-pr
      - name: Clone github/codeql from main
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: codeql-main
          ref: main
@@ -68,9 +68,9 @@ jobs:
            DATABASE=$2
            cd codeql-$QL_VARIANT
            SHORTNAME=`basename $DATABASE`
-            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
            mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/modelgenerator/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
            cd ..
          }
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -30,11 +30,11 @@ jobs:
            ref: "placeholder"
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL binaries
        uses: ./.github/actions/fetch-codeql
      - name: Clone repositories
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: repos/${{ matrix.ref }}
          ref: ${{ matrix.ref }}
--- a/.github/workflows/python-tooling.yml
+++ b/.github/workflows/python-tooling.yml
@@ -1,35 +0,0 @@
 name: Python tooling
 on:
  pull_request:
    paths:
      - "misc/bazel/**"
      - "misc/codegen/**"
      - "misc/scripts/models-as-data/*.py"
      - "*.bazel*"
      - .github/workflows/codegen.yml
      - .pre-commit-config.yaml
    branches:
      - main
      - rc/*
      - codeql-cli-*
 permissions:
  contents: read
 jobs:
  check-python-tooling:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        name: Check that python code is properly formatted
        with:
          extra_args: black --all-files
      - name: Run codegen tests
        shell: bash
        run: |
          bazel test //misc/codegen/...
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -43,7 +43,7 @@ jobs:
          if-no-files-found: error
          retention-days: 1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
          persist-credentials: false
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      ### Build the queries ###
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Find codeql
@@ -27,7 +27,6 @@ jobs:
        uses: github/codeql-action/init@main
        with:
          languages: javascript # does not matter
          tools: nightly
      - uses: ./.github/actions/os-version
        id: os_version
      ### Build the extractor ###
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -25,7 +25,7 @@ jobs:
          - github/codeql
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Find codeql
        id: find-codeql
@@ -46,14 +46,14 @@ jobs:
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
      - name: Create database
        run: |
          "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}" \
+          --search-path "${{ github.workspace }}"
          --threads 4 \
            --language ql --source-root "${{ github.workspace }}/repo" \
            "${{ runner.temp }}/database"
@@ -75,7 +75,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: measurements
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -24,13 +24,12 @@ jobs:
  qltest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@main
        with:
          languages: javascript # does not matter
          tools: nightly
      - uses: ./.github/actions/os-version
        id: os_version
      - uses: actions/cache@v3
@@ -65,7 +64,7 @@ jobs:
    needs: [qltest]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
@@ -76,7 +75,6 @@ jobs:
        uses: github/codeql-action/init@main
        with:
          languages: javascript # does not matter
          tools: nightly
      - uses: ./.github/actions/os-version
        id: os_version
      - uses: actions/cache@v3
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -23,7 +23,7 @@ jobs:
    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
      with:
        path: codeql 
    - name: Set up Python 3.8
@@ -31,7 +31,7 @@ jobs:
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
      uses: ./codeql/.github/actions/fetch-codeql
    - name: Build code scanning query list
      run: |
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -0,0 +1,236 @@
 name: "Ruby: Build"
 on:
  push:
    paths:
      - "ruby/**"
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
      - "shared/tree-sitter-extractor/**"
    branches:
      - main
      - "rc/*"
  pull_request:
    paths:
      - "ruby/**"
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
      - "shared/tree-sitter-extractor/**"
    branches:
      - main
      - "rc/*"
  workflow_dispatch:
    inputs:
      tag:
        description: "Version tag to create"
        required: false
 env:
  CARGO_TERM_COLOR: always
 defaults:
  run:
    working-directory: ruby
 permissions:
  contents: read
 jobs:
  build:
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
          brew install gnu-tar
          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
      - name: Prepare Windows
        if: runner.os == 'Windows'
        shell: powershell
        run: |
          git config --global core.longpaths true
      - uses: ./.github/actions/os-version
        id: os_version
      - name: Cache entire extractor
        uses: actions/cache@v3
        id: cache-extractor
        with:
          path: |
            target/release/codeql-extractor-ruby
            target/release/codeql-extractor-ruby.exe
            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
      - uses: actions/cache@v3
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
      - name: Check formatting
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cd extractor && cargo fmt -- --check
      - name: Build
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cd extractor && cargo build --verbose
      - name: Run tests
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cd extractor && cargo test --verbose
      - name: Release build
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cd extractor && cargo build --release
      - name: Generate dbscheme
        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
      - uses: actions/upload-artifact@v4
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
          name: ruby.dbscheme
          path: ruby/ql/lib/ruby.dbscheme
      - uses: actions/upload-artifact@v4
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
          name: TreeSitter.qll
          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
      - uses: actions/upload-artifact@v4
        with:
          name: extractor-${{ matrix.os }}
          path: |
            target/release/codeql-extractor-ruby
            target/release/codeql-extractor-ruby.exe
          retention-days: 1
  compile-queries:
    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    steps:
      - uses: actions/checkout@v4
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with:
          key: ruby-build
      - name: Build Query Pack
        run: |
          PACKS=${{ runner.temp }}/query-packs
          rm -rf $PACKS
          codeql pack create ../misc/suite-helpers --output "$PACKS"
          codeql pack create ../shared/regex --output "$PACKS"
          codeql pack create ../shared/ssa --output "$PACKS"
          codeql pack create ../shared/tutorial --output "$PACKS"
          codeql pack create ql/lib --output "$PACKS"
          codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
          PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
          codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
      - uses: actions/upload-artifact@v4
        with:
          name: codeql-ruby-queries
          path: |
            ${{ runner.temp }}/query-packs/*
          retention-days: 1
          include-hidden-files: true
  package:
    runs-on: ubuntu-latest
    needs: [build, compile-queries]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: ruby.dbscheme
          path: ruby/ruby
      - uses: actions/download-artifact@v4
        with:
          name: extractor-ubuntu-latest
          path: ruby/linux64
      - uses: actions/download-artifact@v4
        with:
          name: extractor-windows-latest
          path: ruby/win64
      - uses: actions/download-artifact@v4
        with:
          name: extractor-macos-latest
          path: ruby/osx64
      - run: |
          mkdir -p ruby
          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
          mkdir -p ruby/tools/{linux64,osx64,win64}
          cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
          cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
          cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
          chmod +x ruby/tools/{linux64,osx64}/extractor
          zip -rq codeql-ruby.zip ruby
      - uses: actions/upload-artifact@v4
        with:
          name: codeql-ruby-pack
          path: ruby/codeql-ruby.zip
          retention-days: 1
          include-hidden-files: true
      - uses: actions/download-artifact@v4
        with:
          name: codeql-ruby-queries
          path: ruby/qlpacks
      - run: |
          echo '{
            "provide": [
            "ruby/codeql-extractor.yml",
            "qlpacks/*/*/*/qlpack.yml"
            ]
          }' > .codeqlmanifest.json
          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
      - uses: actions/upload-artifact@v4
        with:
          name: codeql-ruby-bundle
          path: ruby/codeql-ruby-bundle.zip
          retention-days: 1
          include-hidden-files: true
  test:
    defaults:
      run:
        working-directory: ${{ github.workspace }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    needs: [package]
    steps:
      - uses: actions/checkout@v4
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Download Ruby bundle
        uses: actions/download-artifact@v4
        with:
          name: codeql-ruby-bundle
          path: ${{ runner.temp }}
      - name: Unzip Ruby bundle
        shell: bash
        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
      - name: Run QL test
        shell: bash
        run: |
          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
      - name: Create database
        shell: bash
        run: |
          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
      - name: Analyze database
        shell: bash
        run: |
          codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -0,0 +1,75 @@
 name: "Ruby: Collect database stats"
 on:
  push:
    branches:
      - main
      - "rc/*"
    paths:
      - ruby/ql/lib/ruby.dbscheme
      - .github/workflows/ruby-dataset-measure.yml
  pull_request:
    branches:
      - main
      - "rc/*"
    paths:
      - ruby/ql/lib/ruby.dbscheme
      - .github/workflows/ruby-dataset-measure.yml
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  measure:
    env:
      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
    strategy:
      fail-fast: false
      matrix:
        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Checkout ${{ matrix.repo }}
        uses: actions/checkout@v4
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
      - name: Create database
        run: |
          codeql database create \
            --search-path "${{ github.workspace }}" \
            --threads 4 \
            --language ruby --source-root "${{ github.workspace }}/repo" \
            "${{ runner.temp }}/database"
      - name: Measure database
        run: |
          mkdir -p "stats/${{ matrix.repo }}"
          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
      - uses: actions/upload-artifact@v4
        with:
          name: measurements-${{ hashFiles('stats/**') }}
          path: stats
          retention-days: 1
  merge:
    runs-on: ubuntu-latest
    needs: measure
    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: stats
      - run: |
          python -m pip install --user lxml
          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
      - uses: actions/upload-artifact@v4
        with:
          name: ruby.dbscheme.stats
          path: ruby/ql/lib/ruby.dbscheme.stats
--- a/.github/workflows/ruby-qltest-rtjo.yml
+++ b/.github/workflows/ruby-qltest-rtjo.yml
@@ -0,0 +1,40 @@
 name: "Ruby: Run RTJO Language Tests"
 on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
      - labeled
 env:
  CARGO_TERM_COLOR: always
 defaults:
  run:
    working-directory: ruby
 permissions:
  contents: read
 jobs:
  qltest-rtjo:
    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
    runs-on: ubuntu-latest-xl
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with:
          key: ruby-qltest
      - name: Run QL tests
        run: |
          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
        env:
          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -0,0 +1,73 @@
 name: "Ruby: Run QL Tests"
 on:
  push:
    paths:
      - "ruby/**"
      - "shared/**"
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
  pull_request:
    paths:
      - "ruby/**"
      - "shared/**"
      - .github/workflows/ruby-qltest.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
    branches:
      - main
      - "rc/*"
 env:
  CARGO_TERM_COLOR: always
 defaults:
  run:
    working-directory: ruby
 permissions:
  contents: read
 jobs:
  qlupgrade:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - name: Check DB upgrade scripts
        run: |
          echo >empty.trap
          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
          codeql dataset upgrade testdb --additional-packs ql/lib
          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme
      - name: Check DB downgrade scripts
        run: |
          echo >empty.trap
          rm -rf testdb; codeql dataset import -S ql/lib/ruby.dbscheme testdb empty.trap
          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
           --dbscheme=ql/lib/ruby.dbscheme --target-dbscheme=downgrades/initial/ruby.dbscheme |
           xargs codeql execute upgrades testdb
          diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
  qltest:
    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    strategy:
      fail-fast: false
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with:
          key: ruby-qltest
      - name: Run QL tests
        run: |
          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
        env:
          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/rust-analysis.yml
+++ b/.github/workflows/rust-analysis.yml
@@ -35,7 +35,7 @@ jobs:
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Query latest nightly CodeQL bundle
      shell: bash
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -30,7 +30,7 @@ jobs:
        working-directory: rust/ast-generator
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Inject sources
        shell: bash
        run: |
@@ -53,7 +53,7 @@ jobs:
        working-directory: rust/extractor
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Format
        shell: bash
        run: |
@@ -69,7 +69,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Install CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Code generation
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -32,11 +32,11 @@ jobs:
    if: github.repository_owner == 'github'
    strategy:
      matrix:
-        runner: [ubuntu-latest, macos-15-xlarge]
+        runner: [ubuntu-latest, macos-13-xlarge]
      fail-fast: false
    runs-on: ${{ matrix.runner }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup (Linux)
        if: runner.os == 'Linux'
        run: |
@@ -53,7 +53,7 @@ jobs:
  clang-format:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        name: Check that python code is properly formatted
        with:
@@ -61,7 +61,7 @@ jobs:
  codegen:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        name: Check that QL generated code was checked in
@@ -77,6 +77,6 @@ jobs:
  check-no-override:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check that no override is present in load.bzl
        run: bazel test ... --test_tag_filters=override --test_output=errors
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -17,7 +17,7 @@ jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check synchronized files
        run: python config/sync-files.py
      - name: Check dbscheme fragments
--- a/.github/workflows/tree-sitter-extractor-test.yml
+++ b/.github/workflows/tree-sitter-extractor-test.yml
@@ -30,7 +30,7 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check formatting
        run: cargo fmt -- --check
      - name: Run tests
@@ -38,12 +38,12 @@ jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check formatting
        run: cargo fmt --check
  clippy:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Run clippy
        run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
--- a/.github/workflows/validate-change-notes.yml
+++ b/.github/workflows/validate-change-notes.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
@@ -31,4 +31,4 @@ jobs:
      - name: Fail if there are any errors with existing change notes
        run: |
-          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
+          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
--- a/.github/workflows/zipmerge-test.yml
+++ b/.github/workflows/zipmerge-test.yml
@@ -18,6 +18,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - run: |
          bazel test //misc/bazel/internal/zipmerge:test --test_output=all
--- a/.gitignore
+++ b/.gitignore
@@ -62,7 +62,6 @@ node_modules/
 # Temporary folders for working with generated models
 .model-temp
 /mad-generation-build
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -72,10 +71,3 @@ node_modules/
 # cargo build directory
 /target
 # some upgrade/downgrade checks create these files
 **/upgrades/*/*.dbscheme.stats
 **/downgrades/*/*.dbscheme.stats
 # Mergetool files
 *.orig
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,26 +1,24 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
 default_language_version:
  python: python3.12
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.2.0
    hooks:
      - id: trailing-whitespace
-        exclude: /test([^/]*)/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
      - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test([^/]*)/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
  - repo: https://github.com/pre-commit/mirrors-clang-format
    rev: v17.0.6
    hooks:
      - id: clang-format
-  - repo: https://github.com/psf/black
+  - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: 25.1.0
+    rev: v2.0.4
    hooks:
-      - id: black
+      - id: autopep8
-        files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
+        files: ^misc/codegen/.*\.py
  - repo: local
    hooks:
--- a/28
+++ b/28
@@ -1,39 +1,22 @@
 # Catch-all for anything which isn't matched by a line lower down
 * @github/code-scanning-alert-coverage
 # CodeQL language libraries
 /actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
+/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor @github/code-scanning-language-coverage
+/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
 /go/ @github/codeql-go
 /go/codeql-tools/ @github/codeql-go @github/code-scanning-language-coverage
 /go/downgrades/ @github/codeql-go @github/code-scanning-language-coverage
 /go/extractor/ @github/codeql-go @github/code-scanning-language-coverage
 /go/extractor-smoke-test/ @github/codeql-go @github/code-scanning-language-coverage
 /go/ql/test/extractor-tests/ @github/codeql-go @github/code-scanning-language-coverage
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /javascript/extractor/ @github/codeql-javascript @github/code-scanning-language-coverage
 /python/ @github/codeql-python
 /python/extractor/ @github/codeql-python @github/code-scanning-language-coverage
 /ql/ @github/codeql-ql-for-ql-reviewers
 /ruby/ @github/codeql-ruby
 /ruby/extractor/ @github/codeql-ruby @github/code-scanning-language-coverage
 /rust/ @github/codeql-rust
 /rust/extractor/ @github/codeql-rust @github/code-scanning-language-coverage
 /shared/ @github/codeql-shared-libraries-reviewers
 /swift/ @github/codeql-swift
 /swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
-/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
+/java/kotlin-extractor/ @github/codeql-kotlin
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 # Experimental CodeQL cryptography
-**/experimental/**/quantum/ @github/ps-codeql
+**/experimental/quantum/ @github/ps-codeql
 /shared/quantum/ @github/ps-codeql
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
@@ -41,6 +24,9 @@
 /docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 # QL for QL reviewers
 /ql/ @github/codeql-ql-for-ql-reviewers
 # Bazel (excluding BUILD.bazel files)
 MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,13 +4,14 @@
 resolver = "2"
 members = [
    "shared/tree-sitter-extractor",
    "shared/yeast",
    "shared/yeast-macros",
    "ruby/extractor",
    "unified/extractor",
    "unified/extractor/tree-sitter-swift",
    "rust/extractor",
    "rust/extractor/macros",
    "rust/ast-generator",
    "rust/autobuild",
 ]
 [patch.crates-io]
 # patch for build script bug preventing bazel build
 # see https://github.com/rust-lang/rustc_apfloat/pull/17
 rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -14,24 +14,22 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
-bazel_dep(name = "platforms", version = "1.0.0")
+bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "rules_cc", version = "0.2.17")
+bazel_dep(name = "rules_go", version = "0.50.1")
-bazel_dep(name = "rules_go", version = "0.60.0")
+bazel_dep(name = "rules_pkg", version = "1.0.1")
-bazel_dep(name = "rules_java", version = "9.6.1")
+bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_pkg", version = "1.2.0")
+bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_nodejs", version = "6.7.3")
+bazel_dep(name = "rules_shell", version = "0.3.0")
-bazel_dep(name = "rules_python", version = "1.9.0")
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "rules_shell", version = "0.7.1")
+bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
+bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
-bazel_dep(name = "gazelle", version = "0.50.0")
+bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.17.4")
-bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
+bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.69.0")
+bazel_dep(name = "rules_rust", version = "0.58.0")
-bazel_dep(name = "zstd", version = "1.5.7.bcr.1")
+bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -39,11 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
-# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
+RUST_VERSION = "1.85.0"
 # a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
 # we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
 # required in this repo
 RUST_VERSION = "nightly/2026-01-22"
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -53,29 +47,6 @@ rust.toolchain(
        "x86_64-apple-darwin",
        "aarch64-apple-darwin",
    ],
    # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
    sha256s = {
        "2026-01-22/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "88db619323cc1321630d124efa51ed02fabc5e020f08cfa0eda2c0ac1afbe69a",
        "2026-01-22/rustc-nightly-x86_64-apple-darwin.tar.xz": "08484da3fa38db56f93629aeabdc0ae9ff8ed9704c0792d35259cbc849b3f54c",
        "2026-01-22/rustc-nightly-aarch64-apple-darwin.tar.xz": "a39c0b21b7058e364ea1bd43144e42e4bf1efade036b2e82455f2afce194ee81",
        "2026-01-22/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "d00248ee9850dbb6932b2578e32ff74fc7c429854c1aa071066ca31b65385a3b",
        "2026-01-22/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "70656a0ce994ffff16d5a35a7b170a0acd41e9bb54a589c96ed45bf97b094a4d",
        "2026-01-22/clippy-nightly-x86_64-apple-darwin.tar.xz": "fe242519fa961522734733009705aec3c2d9a20cc57291f2aa614e5e6262c88f",
        "2026-01-22/clippy-nightly-aarch64-apple-darwin.tar.xz": "38bb226363ec97c9722edf966cd58774a683e19fd2ff2a6030094445d51e06f9",
        "2026-01-22/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "6da9b4470beea67abfebf046f141eee0d2a8db7c7a9e4e2294478734fd477228",
        "2026-01-22/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "99004e9d10c43a01499642f53bb3184d41137a95d65bfb217098840a9e79e892",
        "2026-01-22/cargo-nightly-x86_64-apple-darwin.tar.xz": "6e021394cf8d8400ac6cfdfcef24e4d74f988e91eb8028b36de3a64ce3502990",
        "2026-01-22/cargo-nightly-aarch64-apple-darwin.tar.xz": "4b2494cb69ab64132cddbc411a38ea9f1105e54d6f986e43168d54f79510c673",
        "2026-01-22/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "c36613cf57407212d10d37b76e49a60ff42336e953cdff9e177283f530a83fc1",
        "2026-01-22/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "0b123c5027dbd833aae6845ffe9bd07d309bf798746a7176aadaea68fbcbd05d",
        "2026-01-22/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "a47864491ad5619158c950ab7570fb6e487d5117338585c27334d45824b406d8",
        "2026-01-22/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "db9bc826d6e2e7e914505d50157682e516ceb90357e83d77abddc32c2d962f41",
        "2026-01-22/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "ffaa406932b2fe62e01dad61cf4ed34860a5d2a6f9306ca340d79e630d930039",
        "2026-01-22/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "e9c0d5e06e18a4b509391b3088f29293e310cdc8ccc865be8fa3f09733326925",
        "2026-01-22/rust-std-nightly-x86_64-apple-darwin.tar.xz": "25d75995cee679a4828ca9fe48c5a31a67c3b0846018440ef912e5a6208f53f6",
        "2026-01-22/rust-std-nightly-aarch64-apple-darwin.tar.xz": "e4132bf3f2eed4684c86756a02315bcf481c23e675e3e25630fc604c9cb4594c",
        "2026-01-22/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "961bb535ef95ae8a5fa4e224cb94aff190f155c45a9bcf7a53e184b024aa41b1",
    },
    versions = [RUST_VERSION],
 )
 use_repo(rust, "rust_toolchains")
@@ -91,8 +62,8 @@ use_repo(
    "vendor_py__cc-1.2.14",
    "vendor_py__clap-4.5.30",
    "vendor_py__regex-1.11.1",
-    "vendor_py__tree-sitter-0.24.7",
+    "vendor_py__tree-sitter-0.20.4",
-    "vendor_py__tree-sitter-graph-0.12.0",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )
 # deps for ruby+rust
@@ -100,65 +71,59 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
    tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__anyhow-1.0.97",
    "vendor_ts__argfile-0.2.1",
-    "vendor_ts__cc-1.2.61",
+    "vendor_ts__chalk-ir-0.100.0",
-    "vendor_ts__chalk-ir-0.104.0",
+    "vendor_ts__chrono-0.4.40",
-    "vendor_ts__chrono-0.4.42",
+    "vendor_ts__clap-4.5.35",
    "vendor_ts__clap-4.5.48",
    "vendor_ts__dunce-1.0.5",
    "vendor_ts__either-1.15.0",
    "vendor_ts__encoding-0.2.33",
    "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.2",
+    "vendor_ts__flate2-1.1.0",
-    "vendor_ts__glob-0.3.3",
+    "vendor_ts__glob-0.3.2",
-    "vendor_ts__globset-0.4.16",
+    "vendor_ts__globset-0.4.15",
    "vendor_ts__itertools-0.14.0",
    "vendor_ts__lazy_static-1.5.0",
    "vendor_ts__mustache-0.9.0",
    "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.17.0",
+    "vendor_ts__num_cpus-1.16.0",
-    "vendor_ts__proc-macro2-1.0.101",
+    "vendor_ts__proc-macro2-1.0.94",
-    "vendor_ts__quote-1.0.41",
+    "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.301",
+    "vendor_ts__ra_ap_base_db-0.0.273",
-    "vendor_ts__ra_ap_cfg-0.0.301",
+    "vendor_ts__ra_ap_cfg-0.0.273",
-    "vendor_ts__ra_ap_hir-0.0.301",
+    "vendor_ts__ra_ap_hir-0.0.273",
-    "vendor_ts__ra_ap_hir_def-0.0.301",
+    "vendor_ts__ra_ap_hir_def-0.0.273",
-    "vendor_ts__ra_ap_hir_expand-0.0.301",
+    "vendor_ts__ra_ap_hir_expand-0.0.273",
-    "vendor_ts__ra_ap_hir_ty-0.0.301",
+    "vendor_ts__ra_ap_hir_ty-0.0.273",
-    "vendor_ts__ra_ap_ide_db-0.0.301",
+    "vendor_ts__ra_ap_ide_db-0.0.273",
-    "vendor_ts__ra_ap_intern-0.0.301",
+    "vendor_ts__ra_ap_intern-0.0.273",
-    "vendor_ts__ra_ap_load-cargo-0.0.301",
+    "vendor_ts__ra_ap_load-cargo-0.0.273",
-    "vendor_ts__ra_ap_parser-0.0.301",
+    "vendor_ts__ra_ap_parser-0.0.273",
-    "vendor_ts__ra_ap_paths-0.0.301",
+    "vendor_ts__ra_ap_paths-0.0.273",
-    "vendor_ts__ra_ap_project_model-0.0.301",
+    "vendor_ts__ra_ap_project_model-0.0.273",
-    "vendor_ts__ra_ap_span-0.0.301",
+    "vendor_ts__ra_ap_span-0.0.273",
-    "vendor_ts__ra_ap_stdx-0.0.301",
+    "vendor_ts__ra_ap_stdx-0.0.273",
-    "vendor_ts__ra_ap_syntax-0.0.301",
+    "vendor_ts__ra_ap_syntax-0.0.273",
-    "vendor_ts__ra_ap_vfs-0.0.301",
+    "vendor_ts__ra_ap_vfs-0.0.273",
-    "vendor_ts__rand-0.9.2",
+    "vendor_ts__rand-0.9.0",
-    "vendor_ts__rayon-1.11.0",
+    "vendor_ts__rayon-1.10.0",
-    "vendor_ts__regex-1.11.3",
+    "vendor_ts__regex-1.11.1",
-    "vendor_ts__serde-1.0.228",
+    "vendor_ts__serde-1.0.219",
-    "vendor_ts__serde_json-1.0.145",
+    "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.14.1",
+    "vendor_ts__serde_with-3.12.0",
-    "vendor_ts__serde_yaml-0.9.34-deprecated",
+    "vendor_ts__syn-2.0.100",
-    "vendor_ts__syn-2.0.106",
+    "vendor_ts__toml-0.8.20",
    "vendor_ts__toml-0.9.7",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.20",
+    "vendor_ts__tracing-subscriber-0.3.19",
-    "vendor_ts__tree-sitter-0.26.8",
+    "vendor_ts__tree-sitter-0.24.6",
-    "vendor_ts__tree-sitter-embedded-template-0.25.0",
+    "vendor_ts__tree-sitter-embedded-template-0.23.2",
    "vendor_ts__tree-sitter-generate-0.26.8",
    "vendor_ts__tree-sitter-json-0.24.8",
    "vendor_ts__tree-sitter-language-0.1.5",
    "vendor_ts__tree-sitter-python-0.23.6",
    "vendor_ts__tree-sitter-ql-0.23.1",
    "vendor_ts__tree-sitter-ruby-0.23.1",
    "vendor_ts__triomphe-0.1.14",
    "vendor_ts__ungrammar-1.16.1",
    "vendor_ts__zstd-0.13.3",
 )
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -179,7 +144,7 @@ http_archive(
 )
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "10.0.100")
+dotnet.toolchain(dotnet_version = "9.0.100")
 use_repo(dotnet, "dotnet_toolchains")
 register_toolchains("@dotnet_toolchains//:all")
@@ -195,15 +160,6 @@ pip.parse(
 )
 use_repo(pip, "codegen_deps")
 python = use_extension("@rules_python//python/extensions:python.bzl", "python")
 python.toolchain(
    is_default = True,
    python_version = "3.12",
 )
 use_repo(python, "python_3_12", "python_versions")
 register_toolchains("@python_versions//3.12:all")
 swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
 # following list can be kept in sync with `bazel mod tidy`
@@ -237,6 +193,14 @@ use_repo(
    kotlin_extractor_deps,
    "codeql_kotlin_defaults",
    "codeql_kotlin_embeddable",
    "kotlin-compiler-1.5.0",
    "kotlin-compiler-1.5.10",
    "kotlin-compiler-1.5.20",
    "kotlin-compiler-1.5.30",
    "kotlin-compiler-1.6.0",
    "kotlin-compiler-1.6.20",
    "kotlin-compiler-1.7.0",
    "kotlin-compiler-1.7.20",
    "kotlin-compiler-1.8.0",
    "kotlin-compiler-1.9.0-Beta",
    "kotlin-compiler-1.9.20-Beta",
@@ -244,10 +208,14 @@ use_repo(
    "kotlin-compiler-2.0.20-Beta2",
    "kotlin-compiler-2.1.0-Beta1",
    "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-2.2.0-Beta1",
+    "kotlin-compiler-embeddable-1.5.0",
-    "kotlin-compiler-2.2.20-Beta2",
+    "kotlin-compiler-embeddable-1.5.10",
-    "kotlin-compiler-2.3.0",
+    "kotlin-compiler-embeddable-1.5.20",
-    "kotlin-compiler-2.3.20",
+    "kotlin-compiler-embeddable-1.5.30",
    "kotlin-compiler-embeddable-1.6.0",
    "kotlin-compiler-embeddable-1.6.20",
    "kotlin-compiler-embeddable-1.7.0",
    "kotlin-compiler-embeddable-1.7.20",
    "kotlin-compiler-embeddable-1.8.0",
    "kotlin-compiler-embeddable-1.9.0-Beta",
    "kotlin-compiler-embeddable-1.9.20-Beta",
@@ -255,10 +223,14 @@ use_repo(
    "kotlin-compiler-embeddable-2.0.20-Beta2",
    "kotlin-compiler-embeddable-2.1.0-Beta1",
    "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-2.2.0-Beta1",
+    "kotlin-stdlib-1.5.0",
-    "kotlin-compiler-embeddable-2.2.20-Beta2",
+    "kotlin-stdlib-1.5.10",
-    "kotlin-compiler-embeddable-2.3.0",
+    "kotlin-stdlib-1.5.20",
-    "kotlin-compiler-embeddable-2.3.20",
+    "kotlin-stdlib-1.5.30",
    "kotlin-stdlib-1.6.0",
    "kotlin-stdlib-1.6.20",
    "kotlin-stdlib-1.7.0",
    "kotlin-stdlib-1.7.20",
    "kotlin-stdlib-1.8.0",
    "kotlin-stdlib-1.9.0-Beta",
    "kotlin-stdlib-1.9.20-Beta",
@@ -266,29 +238,33 @@ use_repo(
    "kotlin-stdlib-2.0.20-Beta2",
    "kotlin-stdlib-2.1.0-Beta1",
    "kotlin-stdlib-2.1.20-Beta1",
    "kotlin-stdlib-2.2.0-Beta1",
    "kotlin-stdlib-2.2.20-Beta2",
    "kotlin-stdlib-2.3.0",
    "kotlin-stdlib-2.3.20",
 )
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.24.0")
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
-use_repo(go_deps, "com_github_stretchr_testify", "org_golang_x_mod", "org_golang_x_tools")
+use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
-ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
+lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
-# go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
+lfs_files(
-ripunzip_archive(
+    name = "ripunzip-linux",
-    name = "ripunzip",
+    srcs = ["//misc/ripunzip:ripunzip-linux"],
-    sha256_linux = "71482d7a7e4ea9176d5596161c49250c34b136b157c45f632b1111323fbfc0de",
+    executable = True,
-    sha256_macos_arm = "604194ab13f0aba3972995d995f11002b8fc285c8170401fcd46655065df20c9",
+)
-    sha256_macos_intel = "65367b94fd579d93d46f2d2595cc4c9a60cfcf497e3c824f9d1a7b80fa8bd38a",
+
-    sha256_windows = "ac3874075def2b9e5074a3b5945005ab082cc6e689e1de658da8965bc23e643e",
+lfs_files(
-    version = "2.0.4",
+    name = "ripunzip-windows",
    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
    executable = True,
 )
 lfs_files(
    name = "ripunzip-macos",
    srcs = ["//misc/ripunzip:ripunzip-macos"],
    executable = True,
 )
 register_toolchains(
--- a/actions/extractor/codeql-extractor.yml
+++ b/actions/extractor/codeql-extractor.yml
@@ -1,17 +1,14 @@
 name: "actions"
 aliases: []
 display_name: "GitHub Actions"
 version: 0.0.1
 column_kind: "utf16"
 unicode_newlines: true
 build_modes:
  - none
-default_queries:
+file_coverage_languages: []
  - codeql/actions-queries
 # Actions workflows are not reported separately by the GitHub API, so we can't
 # associate them with a specific language.
 github_api_languages: []
-scc_languages:
+scc_languages: []
  - YAML
 file_types:
  - name: workflow
    display_name: GitHub Actions workflow files
--- a/actions/extractor/tools/baseline-config.json
+++ b/actions/extractor/tools/baseline-config.json
@@ -1,10 +0,0 @@
 {
    "paths": [
        ".github/workflows/*.yml",
        ".github/workflows/*.yaml",
        ".github/reusable_workflows/**/*.yml",
        ".github/reusable_workflows/**/*.yaml",
        "**/action.yml",
        "**/action.yaml"
    ]
 }
--- a/actions/extractor/tools/configure-baseline.cmd
+++ b/actions/extractor/tools/configure-baseline.cmd
@@ -1,2 +0,0 @@
@echo off
 type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
--- a/actions/extractor/tools/configure-baseline.sh
+++ b/actions/extractor/tools/configure-baseline.sh
@@ -1,3 +0,0 @@
 #!/bin/sh
 cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
--- a/actions/ql/examples/codeql-pack.lock.yml
+++ b/actions/ql/examples/codeql-pack.lock.yml
@@ -1,4 +0,0 @@
 ---
 lockVersion: 1.0.0
 dependencies: {}
 compiled: false
--- a/actions/ql/examples/qlpack.yml
+++ b/actions/ql/examples/qlpack.yml
@@ -1,7 +0,0 @@
 name: codeql/actions-examples
 groups:
  - actions
  - examples
 dependencies:
  codeql/actions-all: ${workspace}
 warnOnImplicitThis: true
--- a/actions/ql/examples/snippets/uses_pinned_sha.ql
+++ b/actions/ql/examples/snippets/uses_pinned_sha.ql
@@ -1,12 +0,0 @@
 /**
 * @name Uses step with pinned SHA
 * @description Finds 'uses' steps where the version is a pinned SHA.
 * @id actions/examples/uses-pinned-sha
 * @tags example
 */
 import actions
 from UsesStep uses
 where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
 select uses, "This 'uses' step has a pinned SHA version."
--- a/actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected
@@ -1 +0,0 @@
--- a/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
@@ -1 +0,0 @@
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -1,18 +0,0 @@
 ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
 ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
 ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
 ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
 ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
 ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
 ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
 ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
 ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -1,28 +0,0 @@
 ql/actions/ql/src/Debug/SyntaxError.ql
 ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
 ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
 ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
 ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
 ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
 ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
 ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
 ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
 ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
 ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
 ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
 ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
 ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
 ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -1,24 +0,0 @@
 ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
 ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
 ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
 ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
 ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
 ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
 ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
 ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
 ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
 ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
 ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
 ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
 ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
--- a/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -1,17 +0,0 @@
 ql/actions/ql/src/Debug/partial.ql
 ql/actions/ql/src/Models/CompositeActionsSinks.ql
 ql/actions/ql/src/Models/CompositeActionsSources.ql
 ql/actions/ql/src/Models/CompositeActionsSummaries.ql
 ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
 ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
 ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
 ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
 ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
 ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
 ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
 ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
 ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
 ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
 ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
 ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
 ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
--- a/actions/ql/integration-tests/query-suite/test.py
+++ b/actions/ql/integration-tests/query-suite/test.py
@@ -1,14 +0,0 @@
 import runs_on
 import pytest
 from query_suites import *
 well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
 def test(codeql, actions, check_query_suite, query_suite):
    check_query_suite(query_suite)
@runs_on.posix
 def test_not_included_queries(codeql, actions, check_queries_not_included):
    check_queries_not_included('actions', well_known_query_suites)
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,144 +1,6 @@
 ## 0.4.37
 ### Minor Analysis Improvements
 * The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
 ## 0.4.36
 ### Minor Analysis Improvements
 * Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
 ## 0.4.35
 No user-facing changes.
 ## 0.4.34
 ### Minor Analysis Improvements
 * Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
 ## 0.4.33
 No user-facing changes.
 ## 0.4.32
 No user-facing changes.
 ## 0.4.31
 No user-facing changes.
 ## 0.4.30
 No user-facing changes.
 ## 0.4.29
 No user-facing changes.
 ## 0.4.28
 No user-facing changes.
 ## 0.4.27
 ### Bug Fixes
 * Fixed a crash when analysing a `${{ ... }}` expression over around 300 characters in length.
 ## 0.4.26
 ### Major Analysis Improvements
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
 ## 0.4.25
 No user-facing changes.
 ## 0.4.24
 No user-facing changes.
 ## 0.4.23
 No user-facing changes.
 ## 0.4.22
 No user-facing changes.
 ## 0.4.21
 No user-facing changes.
 ## 0.4.20
 No user-facing changes.
 ## 0.4.19
 No user-facing changes.
 ## 0.4.18
 No user-facing changes.
 ## 0.4.17
 No user-facing changes.
 ## 0.4.16
 No user-facing changes.
 ## 0.4.15
 No user-facing changes.
 ## 0.4.14
 No user-facing changes.
 ## 0.4.13
 ### Bug Fixes
 * The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
 ## 0.4.12
 ### Minor Analysis Improvements
 * Fixed performance issues in the parsing of Bash scripts in workflow files,
  which led to out-of-disk errors when analysing certain workflow files with
  complex interpolations of shell commands or quoted strings.
 ## 0.4.11
 No user-facing changes.
 ## 0.4.10
 No user-facing changes.
 ## 0.4.9
 No user-facing changes.
 ## 0.4.8
 No user-facing changes.
 ## 0.4.7
-### New Features
+No user-facing changes.
 * CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
 ## 0.4.6
--- a/actions/ql/lib/change-notes/released/0.4.10.md
+++ b/actions/ql/lib/change-notes/released/0.4.10.md
@@ -1,3 +0,0 @@
 ## 0.4.10
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.11.md
+++ b/actions/ql/lib/change-notes/released/0.4.11.md
@@ -1,3 +0,0 @@
 ## 0.4.11
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.12.md
+++ b/actions/ql/lib/change-notes/released/0.4.12.md
@@ -1,7 +0,0 @@
 ## 0.4.12
 ### Minor Analysis Improvements
 * Fixed performance issues in the parsing of Bash scripts in workflow files,
  which led to out-of-disk errors when analysing certain workflow files with
  complex interpolations of shell commands or quoted strings.
--- a/actions/ql/lib/change-notes/released/0.4.13.md
+++ b/actions/ql/lib/change-notes/released/0.4.13.md
@@ -1,5 +0,0 @@
 ## 0.4.13
 ### Bug Fixes
 * The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
--- a/actions/ql/lib/change-notes/released/0.4.14.md
+++ b/actions/ql/lib/change-notes/released/0.4.14.md
@@ -1,3 +0,0 @@
 ## 0.4.14
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.15.md
+++ b/actions/ql/lib/change-notes/released/0.4.15.md
@@ -1,3 +0,0 @@
 ## 0.4.15
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.16.md
+++ b/actions/ql/lib/change-notes/released/0.4.16.md
@@ -1,3 +0,0 @@
 ## 0.4.16
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.17.md
+++ b/actions/ql/lib/change-notes/released/0.4.17.md
@@ -1,3 +0,0 @@
 ## 0.4.17
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.18.md
+++ b/actions/ql/lib/change-notes/released/0.4.18.md
@@ -1,3 +0,0 @@
 ## 0.4.18
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.19.md
+++ b/actions/ql/lib/change-notes/released/0.4.19.md
@@ -1,3 +0,0 @@
 ## 0.4.19
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.20.md
+++ b/actions/ql/lib/change-notes/released/0.4.20.md
@@ -1,3 +0,0 @@
 ## 0.4.20
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.21.md
+++ b/actions/ql/lib/change-notes/released/0.4.21.md
@@ -1,3 +0,0 @@
 ## 0.4.21
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.22.md
+++ b/actions/ql/lib/change-notes/released/0.4.22.md
@@ -1,3 +0,0 @@
 ## 0.4.22
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.23.md
+++ b/actions/ql/lib/change-notes/released/0.4.23.md
@@ -1,3 +0,0 @@
 ## 0.4.23
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.24.md
+++ b/actions/ql/lib/change-notes/released/0.4.24.md
@@ -1,3 +0,0 @@
 ## 0.4.24
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.25.md
+++ b/actions/ql/lib/change-notes/released/0.4.25.md
@@ -1,3 +0,0 @@
 ## 0.4.25
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.26.md
+++ b/actions/ql/lib/change-notes/released/0.4.26.md
@@ -1,5 +0,0 @@
 ## 0.4.26
 ### Major Analysis Improvements
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
--- a/actions/ql/lib/change-notes/released/0.4.27.md
+++ b/actions/ql/lib/change-notes/released/0.4.27.md
@@ -1,5 +0,0 @@
 ## 0.4.27
 ### Bug Fixes
 * Fixed a crash when analysing a `${{ ... }}` expression over around 300 characters in length.
--- a/actions/ql/lib/change-notes/released/0.4.28.md
+++ b/actions/ql/lib/change-notes/released/0.4.28.md
@@ -1,3 +0,0 @@
 ## 0.4.28
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.29.md
+++ b/actions/ql/lib/change-notes/released/0.4.29.md
@@ -1,3 +0,0 @@
 ## 0.4.29
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.30.md
+++ b/actions/ql/lib/change-notes/released/0.4.30.md
@@ -1,3 +0,0 @@
 ## 0.4.30
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.31.md
+++ b/actions/ql/lib/change-notes/released/0.4.31.md
@@ -1,3 +0,0 @@
 ## 0.4.31
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.32.md
+++ b/actions/ql/lib/change-notes/released/0.4.32.md
@@ -1,3 +0,0 @@
 ## 0.4.32
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.33.md
+++ b/actions/ql/lib/change-notes/released/0.4.33.md
@@ -1,3 +0,0 @@
 ## 0.4.33
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.34.md
+++ b/actions/ql/lib/change-notes/released/0.4.34.md
@@ -1,5 +0,0 @@
 ## 0.4.34
 ### Minor Analysis Improvements
 * Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
--- a/actions/ql/lib/change-notes/released/0.4.35.md
+++ b/actions/ql/lib/change-notes/released/0.4.35.md
@@ -1,3 +0,0 @@
 ## 0.4.35
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.36.md
+++ b/actions/ql/lib/change-notes/released/0.4.36.md
@@ -1,5 +0,0 @@
 ## 0.4.36
 ### Minor Analysis Improvements
 * Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
--- a/actions/ql/lib/change-notes/released/0.4.37.md
+++ b/actions/ql/lib/change-notes/released/0.4.37.md
@@ -1,5 +0,0 @@
 ## 0.4.37
 ### Minor Analysis Improvements
 * The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
--- a/actions/ql/lib/change-notes/released/0.4.7.md
+++ b/actions/ql/lib/change-notes/released/0.4.7.md
@@ -1,5 +1,3 @@
 ## 0.4.7
-### New Features
+No user-facing changes.
 * CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
--- a/actions/ql/lib/change-notes/released/0.4.8.md
+++ b/actions/ql/lib/change-notes/released/0.4.8.md
@@ -1,3 +0,0 @@
 ## 0.4.8
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.9.md
+++ b/actions/ql/lib/change-notes/released/0.4.9.md
@@ -1,3 +0,0 @@
 ## 0.4.9
 No user-facing changes.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Philip Ginsbach	74084c9809	add overlay[caller] annotations	2025-04-21 10:09:30 +01:00
Philip Ginsbach	7926ce5b56	set compileForOverlayEval true for java	2025-04-21 10:09:01 +01:00
Philip Ginsbach	77bd819558	synchronise files	2025-04-21 10:08:59 +01:00
Philip Ginsbach	1a05a1f5b2	annotate qll files via python script	2025-04-21 10:08:56 +01:00
		`@@ -1,2 +0,0 @@`
			`@echo off`
			`type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"`
		`@@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"`