Fix test results

Remove some extensions
Update data extensions after rebase.
2026-05-16 20:27:06 +02:00 · 2023-01-03 19:18:46 -08:00 · 2023-01-02 17:10:39 -08:00 · 2022-12-15 11:46:49 +01:00 · 2022-12-15 11:46:47 +01:00 · 2022-12-15 11:20:59 +01:00
33845 changed files with 3422518 additions and 3086750 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -1,42 +1,3 @@
-common --enable_platform_specific_config
-# because we use --override_module with `%workspace%`, the lock file is not stable
-common --lockfile_mode=off
-
-# Build release binaries by default, can be overwritten to in local.bazelrc and set to `fastbuild` or `dbg`
-build --compilation_mode opt
-
-# when building from this repository in isolation, the internal repository will not be found at ..
-# where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
-# that we can build things that do not rely on that
-common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
-
-build --repo_env=CC=clang --repo_env=CXX=clang++
-
-# print test output, like sembuild does.
-# Set to `errors` if this is too verbose.
-test --test_output all
-# we use transitions that break builds of `...`, so for `test` to work with that we need the following
-test --build_tests_only
-
-# this requires developer mode, but is required to have pack installer functioning
-startup --windows_enable_symlinks
-common --enable_runfiles
-
-# with the above, we can avoid building python zips which is the default on windows as that's expensive
-build --nobuild_python_zip
-
-common --registry=file:///%workspace%/misc/bazel/registry
-common --registry=https://bcr.bazel.build
-
-common --@rules_dotnet//dotnet/settings:strict_deps=false
-
-# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
-common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
-
-build --java_language_version=17
-build --tool_java_language_version=17
-build --tool_java_runtime_version=remotejdk_17
-build --java_runtime_version=remotejdk_17
-build --@rules_python//python/config_settings:python_version=3.12
+build --repo_env=CC=clang --repo_env=CXX=clang++ --cxxopt="-std=c++17"

 try-import %workspace%/local.bazelrc
--- a/.bazelrc.internal
+++ b/.bazelrc.internal
@@ -1,12 +0,0 @@
-# this file should contain bazel settings required to build things from `semmle-code`
-
-common --registry=file:///%workspace%/ql/misc/bazel/registry
-common --registry=https://bcr.bazel.build
-
-# See bazelbuild/rules_dotnet#413: strict_deps in C# also appliy to 3rd-party deps, and when we pull
-# in (for example) the xunit package, there's no code in this at all, it just depends transitively on
-# its implementation packages without providing any code itself.
-# We either can depend on internal implementation details, or turn of strict deps.
-common --@rules_dotnet//dotnet/settings:strict_deps=false
-
-build --@rules_python//python/config_settings:python_version=3.12
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-8.1.1
+5.0.0
--- a/.clang-format
+++ b/.clang-format
@@ -1 +0,0 @@
-DisableFormat: true
--- a/.devcontainer/Dockerfile.codespaces
+++ b/.devcontainer/Dockerfile.codespaces
@@ -1,7 +0,0 @@
-FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
-
-USER root
-# Install needed packages according to https://codeql.github.com/docs/codeql-overview/system-requirements/
-# most come from the base image, but we need to install some additional ones
-RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y sudo man-db python3.12 npm unminimize
-RUN yes | unminimize
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,16 +1,12 @@
 {
  "extensions": [
-    "rust-lang.rust-analyzer",
+    "rust-lang.rust",
    "bungcip.better-toml",
    "github.vscode-codeql",
    "hbenl.vscode-test-explorer",
    "ms-vscode.test-adapter-converter",
    "slevesque.vscode-zipexplorer"
  ],
-  "build": {
-    // Path is relative to the devcontainer.json file.
-    "dockerfile": "Dockerfile.codespaces"
-  },
  "settings": {
    "files.watcherExclude": {
      "**/target/**": true
--- a/.devcontainer/swift/Dockerfile
+++ b/.devcontainer/swift/Dockerfile
@@ -0,0 +1,9 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.236.0/containers/cpp/.devcontainer/base.Dockerfile
+
+# [Choice] Debian / Ubuntu version (use Debian 11, Ubuntu 18.04/22.04 on local arm64/Apple Silicon): debian-11, debian-10, ubuntu-22.04, ubuntu-20.04, ubuntu-18.04
+FROM mcr.microsoft.com/vscode/devcontainers/cpp:0-ubuntu-22.04
+
+USER root
+ADD root.sh /tmp/root.sh
+ADD update-codeql.sh /usr/local/bin/update-codeql
+RUN bash /tmp/root.sh && rm /tmp/root.sh
--- a/.devcontainer/swift/devcontainer.json
+++ b/.devcontainer/swift/devcontainer.json
@@ -0,0 +1,25 @@
+{
+	"extensions": [
+		"github.vscode-codeql",
+		"hbenl.vscode-test-explorer",
+		"ms-vscode.test-adapter-converter",
+		"slevesque.vscode-zipexplorer",
+		"ms-vscode.cpptools"
+	],
+	"settings": {
+		"files.watcherExclude": {
+			"**/target/**": true
+		},
+		"codeQL.runningQueries.memory": 2048
+	},
+	"build": {
+		"dockerfile": "Dockerfile",
+	},
+	"runArgs": [
+		"--cap-add=SYS_PTRACE",
+		"--security-opt",
+		"seccomp=unconfined"
+	],
+	"remoteUser": "vscode",
+	"onCreateCommand": ".devcontainer/swift/user.sh"
+}
--- a/.devcontainer/swift/root.sh
+++ b/.devcontainer/swift/root.sh
@@ -0,0 +1,22 @@
+set -xe
+
+BAZELISK_VERSION=v1.12.0
+BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
+
+apt-get update
+export DEBIAN_FRONTEND=noninteractive
+apt-get -y install --no-install-recommends \
+    zlib1g-dev \
+    uuid-dev \
+    python3-distutils \
+    python3-pip \
+    bash-completion
+
+# Install Bazel
+curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64
+echo "${BAZELISK_DOWNLOAD_SHA} */usr/local/bin/bazelisk" | sha256sum --check -
+chmod 0755 /usr/local/bin/bazelisk
+ln -s bazelisk /usr/local/bin/bazel
+
+# install latest codeql
+update-codeql
--- a/.devcontainer/swift/update-codeql.sh
+++ b/.devcontainer/swift/update-codeql.sh
@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+URL=https://github.com/github/codeql-cli-binaries/releases
+LATEST_VERSION=$(curl -L -s -H 'Accept: application/json' $URL/latest | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
+CURRENT_VERSION=v$(codeql version 2>/dev/null | sed -ne 's/.*release \([0-9.]*\)\./\1/p')
+if [[ $CURRENT_VERSION != $LATEST_VERSION ]]; then
+  if [[ $UID != 0 ]]; then
+    echo "update required, please run this script with sudo:"
+    echo "  sudo $0"
+    exit 1
+  fi
+  ZIP=$(mktemp codeql.XXXX.zip)
+  curl -fSqL -o $ZIP $URL/download/$LATEST_VERSION/codeql-linux64.zip
+  unzip -q $ZIP -d /opt
+  rm $ZIP
+  ln -sf /opt/codeql/codeql /usr/local/bin/codeql
+  echo installed version $LATEST_VERSION
+else
+  echo current version $CURRENT_VERSION is up-to-date
+fi
--- a/.devcontainer/swift/user.sh
+++ b/.devcontainer/swift/user.sh
@@ -0,0 +1,13 @@
+set -xe
+
+# add the workspace to the codeql search path
+mkdir -p /home/vscode/.config/codeql
+echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config
+
+# create a swift extractor pack with the current state
+cd /workspaces/codeql
+bazel run swift/create-extractor-pack
+
+#install and set up pre-commit
+python3 -m pip install pre-commit --no-warn-script-location
+$HOME/.local/bin/pre-commit install
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,21 +0,0 @@
-# .git-blame-ignore-revs
-# Auto-formatted Java
-730eae952139209fe9fdf598541d608f4c0c0c84
-# Auto-formatted C#
-5ad7ed49dd3de03ec6dcfcb6848758a6a987e11c
-# Auto-formatted C/C++
-ef97e539ec1971494d4bba5cafe82e00bc8217ac
-# Auto-formatted Python
-21d5fa836b3a7d020ba45e8b8168b145a9772131
-# Auto-formatted JavaScript
-8d97fe9ed327a9546ff2eaf515cf0f5214deddd9
-# Auto-formatted Ruby
-a5d229903d2f12d45f2c2c38822f1d0e7504ae7f
-# Auto-formatted Go
-08c658e66bf867090033ea096e244a93d46c0aa7
-# Auto-formatted Swift
-711d7057f79fb7d72fc3b35e010bd018f9009169
-# Auto-formatted shared ql packs
-3640b6d3a8ce9edf8e1d3ed106fe8526cf255bc0
-# Auto-formatted taint tracking files
-159d8e978c51959b380838c080d891b66e763b19
--- a/.gitattributes
+++ b/.gitattributes
@@ -50,41 +50,24 @@
 *.dll -text
 *.pdb -text

-/java/ql/test/stubs/**/*.java linguist-generated=true
-/java/ql/test/experimental/stubs/**/*.java linguist-generated=true
-/java/kotlin-extractor/deps/*.jar filter=lfs diff=lfs merge=lfs -text
+java/ql/test/stubs/**/*.java linguist-generated=true
+java/ql/test/experimental/stubs/**/*.java linguist-generated=true

 # Force git not to modify line endings for go or html files under the go/ql directory
-/go/ql/**/*.go -text
-/go/ql/**/*.html -text
+go/ql/**/*.go -text
+go/ql/**/*.html -text
 # Force git not to modify line endings for go dbschemes
-/go/*.dbscheme -text
+go/*.dbscheme -text
 # Preserve unusual line ending from codeql-go merge
-/go/extractor/opencsv/CSVReader.java -text
+go/extractor/opencsv/CSVReader.java -text

 # For some languages, upgrade script testing references really old dbscheme
 # files from legacy upgrades that have CRLF line endings. Since upgrade
 # resolution relies on object hashes, we must suppress line ending conversion
 # for those testing dbscheme files.
-/*/ql/lib/upgrades/initial/*.dbscheme -text
+*/ql/lib/upgrades/initial/*.dbscheme -text

-# Auto-generated modeling for Python
-/python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
-
-# auto-generated bazel lock file
-/ruby/extractor/cargo-bazel-lock.json linguist-generated=true
-/ruby/extractor/cargo-bazel-lock.json -merge
-
-# auto-generated files for the C# build
-/csharp/paket.lock linguist-generated=true
-# needs eol=crlf, as `paket` touches this file and saves it as crlf
-/csharp/.paket/Paket.Restore.targets linguist-generated=true eol=crlf
-/csharp/paket.main.bzl linguist-generated=true
-/csharp/paket.main_extension.bzl linguist-generated=true
-
-# ripunzip tool
-/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
-
-# swift prebuilt resources
-/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
-/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
+# Generated test files - these are synced from the standard JavaScript libraries using
+# `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
+javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
+javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
--- a/.github/actions/cache-query-compilation/action.yml
+++ b/.github/actions/cache-query-compilation/action.yml
@@ -9,7 +9,7 @@ inputs:
 outputs:
  cache-dir:
    description: "The directory where the cache was stored"
-    value: ${{ steps.output-compilation-dir.outputs.compdir }}
+    value: ${{ steps.fill-compilation-dir.outputs.compdir }}

 runs:
  using: composite
@@ -23,127 +23,33 @@ runs:
      run: |
        MERGE_BASE=$(git cat-file commit $GITHUB_SHA | grep '^parent ' | head -1 | cut -f 2 -d " ")
        echo "merge_base=$MERGE_BASE" >> $GITHUB_ENV
-    - name: Restore cache (PR)
+    - name: Restore read-only cache (PR)
      if: ${{ github.event_name == 'pull_request' }}
-      uses: actions/cache/restore@v3
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
      with:
-        path: |
-          **/.cache
-          ~/.codeql/compile-cache
+        path: '**/.cache'
+        read-only: true
        key: codeql-compile-${{ inputs.key }}-pr-${{ github.sha }}
        restore-keys: |
          codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-${{ env.merge_base }}
          codeql-compile-${{ inputs.key }}-${{ github.base_ref }}-
          codeql-compile-${{ inputs.key }}-main-
-    - name: Fill cache (only branch push)
+    - name: Fill cache (push)
      if: ${{ github.event_name != 'pull_request' }}
-      uses: actions/cache@v3
+      uses: erik-krogh/actions-cache@a88d0603fe5fb5606db9f002dfcadeb32b5f84c6
      with:
-        path: |
-          **/.cache
-          ~/.codeql/compile-cache
+        path: '**/.cache'
        key: codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-${{ github.sha }} # just fill on main
        restore-keys: | # restore the latest cache if the exact cache is unavailable, to speed up compilation.
          codeql-compile-${{ inputs.key }}-${{ github.ref_name }}-
          codeql-compile-${{ inputs.key }}-main-
-    - name: Output-compilationdir
-      id: output-compilation-dir
+    - name: Fill compilation cache directory
+      id: fill-compilation-dir
      shell: bash
      run: |
+        # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
+        node $GITHUB_WORKSPACE/.github/actions/cache-query-compilation/move-caches.js ${COMBINED_CACHE_DIR}
+
        echo "compdir=${COMBINED_CACHE_DIR}" >> $GITHUB_OUTPUT
      env:
        COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
-    - name: Fill compilation cache directory
-      id: fill-compilation-dir
-      uses: actions/github-script@v6
-      env: 
-        COMBINED_CACHE_DIR: ${{ runner.temp }}/compilation-dir
-      with:
-        script: |
-          // # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
-          // mkdir -p ${COMBINED_CACHE_DIR}
-          // rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
-          // # copy the contents of the .cache folders into the combined cache folder.
-          // cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
-          // # clean up the .cache folders
-          // rm -rf **/.cache/*
-
-          const fs = require("fs");
-          const path = require("path");
-          const os = require("os");
-
-          // the first argv is the cache folder to create.
-          const COMBINED_CACHE_DIR = process.env.COMBINED_CACHE_DIR;
-
-          function* walkCaches(dir) {
-            const files = fs.readdirSync(dir, { withFileTypes: true });
-            for (const file of files) {
-              if (file.isDirectory()) {
-                const filePath = path.join(dir, file.name);
-                yield* walkCaches(filePath);
-                if (file.name === ".cache") {
-                  yield filePath;
-                }
-              }
-            }
-          }
-
-          async function copyDir(src, dest) {
-            for await (const file of await fs.promises.readdir(src, { withFileTypes: true })) {
-              const srcPath = path.join(src, file.name);
-              const destPath = path.join(dest, file.name);
-              if (file.isDirectory()) {
-                if (!fs.existsSync(destPath)) {
-                  fs.mkdirSync(destPath);
-                }
-                await copyDir(srcPath, destPath);
-              } else {
-                await fs.promises.copyFile(srcPath, destPath);
-              }
-            }
-          }
-
-          async function main() {
-            const cacheDirs = [...walkCaches(".")];
-
-            for (const dir of cacheDirs) {
-              console.log(`Found .cache dir at ${dir}`);
-            }
-
-            const globalCacheDir = path.join(os.homedir(), ".codeql", "compile-cache");
-            if (fs.existsSync(globalCacheDir)) {
-              console.log("Found global home dir: " + globalCacheDir);
-              cacheDirs.push(globalCacheDir);
-            }
-
-            if (cacheDirs.length === 0) {
-              console.log("No cache dirs found");
-              return;
-            }
-
-            // mkdir -p ${COMBINED_CACHE_DIR}
-            fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
-
-            // rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
-            await Promise.all(
-              cacheDirs.map((cacheDir) =>
-                (async function () {
-                  await fs.promises.rm(path.join(cacheDir, "lock"), { force: true });
-                  await fs.promises.rm(path.join(cacheDir, "size"), { force: true });
-                })()
-              )
-            );
-
-            // # copy the contents of the .cache folders into the combined cache folder.
-            // cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
-            await Promise.all(
-              cacheDirs.map((cacheDir) => copyDir(cacheDir, COMBINED_CACHE_DIR))
-            );
-
-            // # clean up the .cache folders
-            // rm -rf **/.cache/*
-            await Promise.all(
-              cacheDirs.map((cacheDir) => fs.promises.rm(cacheDir, { recursive: true }))
-            );
-          }
-          main();
--- a/.github/actions/cache-query-compilation/move-caches.js
+++ b/.github/actions/cache-query-compilation/move-caches.js
@@ -0,0 +1,75 @@
+// # Move all the existing cache into another folder, so we only preserve the cache for the current queries.
+// mkdir -p ${COMBINED_CACHE_DIR}
+// rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
+// # copy the contents of the .cache folders into the combined cache folder.
+// cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
+// # clean up the .cache folders
+// rm -rf **/.cache/*
+
+const fs = require("fs");
+const path = require("path");
+
+// the first argv is the cache folder to create.
+const COMBINED_CACHE_DIR = process.argv[2];
+
+function* walkCaches(dir) {
+  const files = fs.readdirSync(dir, { withFileTypes: true });
+  for (const file of files) {
+    if (file.isDirectory()) {
+      const filePath = path.join(dir, file.name);
+      yield* walkCaches(filePath);
+      if (file.name === ".cache") {
+        yield filePath;
+      }
+    }
+  }
+}
+
+async function copyDir(src, dest) {
+  for await (const file of await fs.promises.readdir(src, { withFileTypes: true })) {
+    const srcPath = path.join(src, file.name);
+    const destPath = path.join(dest, file.name);
+    if (file.isDirectory()) {
+      if (!fs.existsSync(destPath)) {
+        fs.mkdirSync(destPath);
+      }
+      await copyDir(srcPath, destPath);
+    } else {
+      await fs.promises.copyFile(srcPath, destPath);
+    }
+  }
+}
+
+async function main() {
+  const cacheDirs = [...walkCaches(".")];
+
+  for (const dir of cacheDirs) {
+    console.log(`Found .cache dir at ${dir}`);
+  }
+
+  // mkdir -p ${COMBINED_CACHE_DIR}
+  fs.mkdirSync(COMBINED_CACHE_DIR, { recursive: true });
+
+  // rm -f **/.cache/{lock,size} # -f to avoid errors if the cache is empty.
+  await Promise.all(
+    cacheDirs.map((cacheDir) =>
+      (async function () {
+        await fs.promises.rm(path.join(cacheDir, "lock"), { force: true });
+        await fs.promises.rm(path.join(cacheDir, "size"), { force: true });
+      })()
+    )
+  );
+
+  // # copy the contents of the .cache folders into the combined cache folder.
+  // cp -r **/.cache/* ${COMBINED_CACHE_DIR}/ || : # ignore missing files
+  await Promise.all(
+    cacheDirs.map((cacheDir) => copyDir(cacheDir, COMBINED_CACHE_DIR))
+  );
+
+  // # clean up the .cache folders
+  // rm -rf **/.cache/*
+  await Promise.all(
+    cacheDirs.map((cacheDir) => fs.promises.rm(cacheDir, { recursive: true }))
+  );
+}
+main();
--- a/.github/actions/fetch-codeql/action.yml
+++ b/.github/actions/fetch-codeql/action.yml
@@ -19,6 +19,4 @@ runs:
        gh extension install github/gh-codeql
        gh codeql set-channel "$CHANNEL"
        gh codeql version
-        printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}"
-        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}"
        gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}"
--- a/.github/actions/find-latest-bundle/action.yml
+++ b/.github/actions/find-latest-bundle/action.yml
@@ -0,0 +1,26 @@
+name: Find Latest CodeQL Bundle
+description: Finds the URL of the latest released version of the CodeQL bundle.
+outputs:
+  url:
+    description: The download URL of the latest CodeQL bundle release
+    value: ${{ steps.find-latest.outputs.url }}
+runs:
+  using: composite
+  steps:
+    - name: Find Latest Release
+      id: find-latest
+      shell: pwsh
+      run: |
+        $Latest = gh release list --repo github/codeql-action --exclude-drafts --limit 1000 |
+          ForEach-Object { $C = $_ -split "`t"; return @{ type = $C[1]; tag = $C[2]; } } |
+          Where-Object { $_.type -eq 'Latest' }
+
+        $Tag = $Latest.tag
+        if ($Tag -eq '') {
+          throw 'Failed to find latest bundle release.'
+        }
+
+        Write-Output "Latest bundle tag is '${Tag}'."
+        "url=https://github.com/github/codeql-action/releases/download/${Tag}/codeql-bundle-linux64.tar.gz" >> $env:GITHUB_OUTPUT
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
--- a/.github/actions/os-version/action.yml
+++ b/.github/actions/os-version/action.yml
@@ -1,32 +0,0 @@
-name: OS Version
-description: Get OS version.
-
-outputs:
-  version:
-    description: "OS version"
-    value: ${{ steps.version.outputs.version }}
-
-runs:
-  using: composite
-  steps:
-    - if: runner.os == 'Linux'
-      shell: bash
-      run: |
-        . /etc/os-release
-        echo "VERSION=${NAME} ${VERSION}" >> $GITHUB_ENV
-    - if: runner.os == 'Windows'
-      shell: powershell
-      run: |
-        $objects = systeminfo.exe /FO CSV | ConvertFrom-Csv
-        "VERSION=$($objects.'OS Name') $($objects.'OS Version')" >> $env:GITHUB_ENV
-    - if: runner.os == 'macOS'
-      shell: bash
-      run: |
-        echo "VERSION=$(sw_vers -productName) $(sw_vers -productVersion)" >> $GITHUB_ENV
-    - name: Emit OS version
-      id: version
-      shell: bash
-      run: |
-        echo "$VERSION"
-        echo "version=${VERSION}" >> $GITHUB_OUTPUT
-
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -4,13 +4,8 @@ queries:
  - uses: security-and-quality

 paths-ignore:
-  - '/actions/ql/test'
  - '/cpp/'
  - '/java/'
  - '/python/'
  - '/javascript/ql/test'
-  - '/javascript/ql/integration-tests'
  - '/javascript/extractor/tests'
-  - '/javascript/extractor/parser-tests'
-  - '/javascript/ql/src/'
-  - '/rust/ql'
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,12 +1,19 @@
 version: 2
 updates:
  - package-ecosystem: "cargo"
-    directory: "ruby"
+    directory: "ruby/node-types"
    schedule:
      interval: "daily"
-
  - package-ecosystem: "cargo"
-    directory: "ql"
+    directory: "ruby/generator"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/extractor"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "cargo"
+    directory: "ruby/autobuilder"
    schedule:
      interval: "daily"

@@ -17,26 +24,3 @@ updates:
    ignore:
      - dependency-name: '*'
        update-types: ['version-update:semver-patch', 'version-update:semver-minor']
-
-  - package-ecosystem: "gomod"
-    directory: "go/extractor"
-    schedule:
-      interval: "daily"
-    allow:
-      - dependency-name: "golang.org/x/mod"
-      - dependency-name: "golang.org/x/tools"
-    groups:
-      extractor-dependencies:
-        patterns:
-          - "golang.org/x/*"
-    reviewers:
-      - "github/codeql-go"
-
-  - package-ecosystem: "gomod"
-    directory: "go/ql/test"
-    schedule:
-      interval: "monthly"
-    ignore:
-      - dependency-name: "*"
-    reviewers:
-      - "github/codeql-go"
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -11,16 +11,17 @@ Go:
  - change-notes/**/*go.*

 Java:
-  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/ql/test/kotlin/**/*' ]
+  - any: [ 'java/**/*', '!java/kotlin-extractor/**/*', '!java/kotlin-explorer/**/*', '!java/ql/test/kotlin/**/*' ]
  - change-notes/**/*java.*

 JS:
-  - any: [ 'javascript/**/*' ]
+  - any: [ 'javascript/**/*', '!javascript/ql/experimental/adaptivethreatmodeling/**/*' ]
  - change-notes/**/*javascript*

 Kotlin:
  - java/kotlin-extractor/**/*
-  - java/ql/test-kotlin*/**/*
+  - java/kotlin-explorer/**/*
+  - java/ql/test/kotlin/**/*

 Python:
  - python/**/*
@@ -30,18 +31,10 @@ Ruby:
  - ruby/**/*
  - change-notes/**/*ruby*

-Rust:
-  - rust/**/*
-  - change-notes/**/*rust*
-
 Swift:
  - swift/**/*
  - change-notes/**/*swift*

-Actions:
-  - actions/**/*
-  - change-notes/**/*actions*
-
 documentation:
  - "**/*.qhelp"
  - "**/*.md"
@@ -53,4 +46,11 @@ documentation:

 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
-  - "shared/dataflow/**/*"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll"
+  - "java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll"
+
+"ATM":
+  - javascript/ql/experimental/adaptivethreatmodeling/**/*
--- a/.github/workflows/atm-check-query-suite.yml
+++ b/.github/workflows/atm-check-query-suite.yml
@@ -0,0 +1,93 @@
+name: "ATM - Check query suite"
+
+env:
+  QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src
+  QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/atm-check-query-suite.yml"
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+  workflow_dispatch:
+
+jobs:
+  atm-check-query-suite:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: release
+
+      - name: Install ATM model
+        run: |
+          set -exu
+
+          # Install dependencies of ATM query pack, i.e. the ATM model
+          codeql pack install "${QUERY_PACK}"
+
+          # Retrieve model checksum
+          model_checksum=$(codeql resolve extensions "${QUERY_PACK}/${QUERY_SUITE}" | jq -r '.models[0].checksum')
+
+          # Trust the model so that we can use it in the ATM boosted queries
+          mkdir -p "$HOME/.config/codeql"
+          echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config"
+
+      - name: Create test DB
+        run: |
+          DB_PATH="${RUNNER_TEMP}/db"
+          echo "DB_PATH=${DB_PATH}" >> "${GITHUB_ENV}"
+
+          codeql database create "${DB_PATH}" --source-root config/atm --language javascript 
+
+      - name: Run ATM query suite
+        run: |
+          SARIF_PATH="${RUNNER_TEMP}/sarif.json"
+          echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}"
+
+          codeql database analyze \
+            --format sarif-latest \
+            --output "${SARIF_PATH}" \
+            --sarif-group-rules-by-pack \
+            -vv \
+            -- \
+            "${DB_PATH}" \
+            "${QUERY_PACK}/${QUERY_SUITE}"
+
+      - name: Upload SARIF
+        uses: actions/upload-artifact@v3
+        with:
+          name: javascript-ml-powered-queries.sarif
+          path: "${{ env.SARIF_PATH }}"
+          retention-days: 5
+
+      - name: Check results
+        run: |
+          # We should run at least the ML-powered queries in `expected_rules`.
+          expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+          for rule in ${expected_rules}; do
+            found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+              flatten | .[].id] | any(. == $rule)' "${SARIF_PATH}")
+            if [[ "${found_rule}" != "true" ]]; then
+              echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+              exit 1
+            else
+              echo "Found rule '${rule}'."
+            fi
+          done
+
+          # We should have at least one alert from an ML-powered query.
+          num_alerts=$(jq '[.runs[0].results[] |
+            select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+            "${SARIF_PATH}")
+          if [[ "${num_alerts}" -eq 0 ]]; then
+            echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+            exit 1
+          else
+            echo "Found ${num_alerts} alerts from ML-powered queries.";
+          fi
--- a/.github/workflows/atm-model-integration-tests.yml
+++ b/.github/workflows/atm-model-integration-tests.yml
@@ -0,0 +1,12 @@
+name: ATM Model Integration Tests
+
+on:
+  workflow_dispatch:
+
+jobs:
+  hello-world:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: foo
+        run: echo "Hello world"
--- a/.github/workflows/build-ripunzip.yml
+++ b/.github/workflows/build-ripunzip.yml
@@ -1,74 +0,0 @@
-name: Build runzip
-
-on:
-  workflow_dispatch:
-    inputs:
-      ripunzip-version:
-        description: "what reference to checktout from google/runzip"
-        required: false
-        default: v1.2.1
-      openssl-version:
-        description: "what reference to checkout from openssl/openssl for Linux"
-        required: false
-        default: openssl-3.3.0
-
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-22.04, macos-13, windows-2019]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          repository: google/ripunzip
-          ref: ${{ inputs.ripunzip-version }}
-      # we need to avoid ripunzip dynamically linking into libssl
-      # see https://github.com/sfackler/rust-openssl/issues/183
-      - if: runner.os == 'Linux'
-        name: checkout openssl
-        uses: actions/checkout@v4
-        with:
-          repository: openssl/openssl
-          path: openssl
-          ref: ${{ inputs.openssl-version }}
-      - if: runner.os == 'Linux'
-        name: build and install openssl with fPIC
-        shell: bash
-        working-directory: openssl
-        run: |
-          ./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
-          make -j $(nproc)
-          make install_sw -j $(nproc)
-      - if: runner.os == 'Linux'
-        name: build (linux)
-        shell: bash
-        run: |
-          env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
-          mv target/release/ripunzip ripunzip-linux
-      - if: runner.os == 'Windows'
-        name: build (windows)
-        shell: bash
-        run: |
-          cargo build --release
-          mv target/release/ripunzip ripunzip-windows
-      - name: build (macOS)
-        if: runner.os == 'macOS'
-        shell: bash
-        run: |
-          rustup target install x86_64-apple-darwin
-          rustup target install aarch64-apple-darwin
-          cargo build --target x86_64-apple-darwin --release
-          cargo build --target aarch64-apple-darwin --release
-          lipo -create -output ripunzip-macos \
-            -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
-            -arch arm64 target/aarch64-apple-darwin/release/ripunzip
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ripunzip-${{ runner.os }}
-          path: ripunzip-*
-      - name: Check built binary
-        shell: bash
-        run: |
-          ./ripunzip-* --version
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -1,28 +0,0 @@
-name: Check bazel formatting
-
-on:
-  pull_request:
-    paths:
-      - "**.bazel"
-      - "**.bzl"
-    branches:
-      - main
-      - "rc/*"
-
-permissions:
-  contents: read
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Check bazel formatting
-        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        with:
-          extra_args: >
-            buildifier --all-files 2>&1 ||
-            (
-              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel/buildifier"; exit 1
-            )
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -1,8 +1,5 @@
 name: Check change note

-permissions:
-  pull-requests: read
-
 on:
  pull_request_target:
    types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
@@ -11,44 +8,21 @@ on:
      - "*/ql/src/**/*.qll"
      - "*/ql/lib/**/*.ql"
      - "*/ql/lib/**/*.qll"
-      - "*/ql/lib/**/*.yml"
-      - "shared/**/*.ql"
-      - "shared/**/*.qll"
      - "!**/experimental/**"
      - "!ql/**"
-      - "!rust/**"
+      - "!swift/**"
      - ".github/workflows/check-change-note.yml"

 jobs:
  check-change-note:
-    env:
-      REPO: ${{ github.repository }}
-      PULL_REQUEST_NUMBER: ${{ github.event.number }}
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    runs-on: ubuntu-latest
    steps:
-
      - name: Fail if no change note found. To fix, either add one, or add the `no-change-note-required` label.
        if: |
          github.event.pull_request.draft == false &&
          !contains(github.event.pull_request.labels.*.name, 'no-change-note-required')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          change_note_files=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '.[].filename | select(test("/change-notes/.*[.]md$"))')
-
-          if [ -z "$change_note_files" ]; then
-            echo "No change note found. Either add one, or add the 'no-change-note-required' label."
-            exit 1
-          fi
-
-          echo "Change notes found:"
-          echo "$change_note_files"
-
-      - name: Fail if the change note filename doesn't match the expected format. The file name must be of the form 'YYYY-MM-DD.md', 'YYYY-MM-DD-{title}.md', where '{title}' is arbitrary text, or released/x.y.z.md for released change-notes
-        run: |
-          bad_change_note_file_names=$(gh api "repos/$REPO/pulls/$PULL_REQUEST_NUMBER/files" --paginate --jq '[.[].filename | select(test("/change-notes/.*[.]md$"))][] | select((test("/change-notes/[0-9]{4}-[0-9]{2}-[0-9]{2}.*[.]md$") or test("/change-notes/released/[0-9]*[.][0-9]*[.][0-9]*[.]md$")) | not)')
-
-          if [ -n "$bad_change_note_file_names" ]; then
-            echo "The following change note file names are invalid:"
-            echo "$bad_change_note_file_names"
-            exit 1
-          fi
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c
--- a/.github/workflows/check-implicit-this.yml
+++ b/.github/workflows/check-implicit-this.yml
@@ -1,32 +0,0 @@
-name: "Check implicit this warnings"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - "**qlpack.yml"
-    branches:
-      - main
-      - "rc/*"
-
-permissions:
-  contents: read
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check that implicit this warnings is enabled for all packs
-        shell: bash
-        run: |
-          EXIT_CODE=0
-          packs="$(find . -iname 'qlpack.yml')"
-          for pack_file in ${packs}; do
-            option="$(yq '.warnOnImplicitThis' ${pack_file})"
-            if [ "${option}" != "true" ]; then
-              echo "::error file=${pack_file}::warnOnImplicitThis property must be set to 'true' for pack ${pack_file}"
-              EXIT_CODE=1
-            fi
-          done
-          exit "${EXIT_CODE}"
--- a/.github/workflows/check-qldoc.yml
+++ b/.github/workflows/check-qldoc.yml
@@ -10,15 +10,12 @@ on:
      - main
      - "rc/*"

-permissions:
-  contents: read
-
 jobs:
  qldoc:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

@@ -29,9 +26,9 @@ jobs:
        shell: bash
        run: |
          EXIT_CODE=0
+          # TODO: remove the swift exception from the regex when we fix generated QLdoc
          # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
-          # TODO: remove the actions exception once https://github.com/github/codeql-team/issues/3656 is fixed
-          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)"
+          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(swift|shared))[a-z]*/ql/lib' || true; } | sort -u)"
          for pack_dir in ${changed_lib_packs}; do
            lang="${pack_dir%/ql/lib}"
            codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"
--- a/.github/workflows/check-query-ids.yml
+++ b/.github/workflows/check-query-ids.yml
@@ -11,14 +11,11 @@ on:
      - "rc/*"
  workflow_dispatch:

-permissions:
-  contents: read
-
 jobs:
  check:
    name: Check query IDs
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Check for duplicate query IDs
        run: python3 misc/scripts/check-query-ids.py
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -5,9 +5,6 @@ on:
  schedule:
    - cron: "30 1 * * *"

-permissions:
-  issues: write
-
 jobs:
  stale:
    if: github.repository == 'github/codeql'
@@ -15,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v6
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
--- a/.github/workflows/codegen.yml
+++ b/.github/workflows/codegen.yml
@@ -1,34 +0,0 @@
-name: Codegen
-
-on:
-  pull_request:
-    paths:
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "*.bazel*"
-      - .github/workflows/codegen.yml
-      - .pre-commit-config.yaml
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
-        with:
-          python-version-file: 'misc/codegen/.python-version'
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        name: Check that python code is properly formatted
-        with:
-          extra_args: autopep8 --all-files
-      - name: Run codegen tests
-        shell: bash
-        run: |
-          bazel test //misc/codegen/...
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,10 +18,6 @@ on:

 jobs:
  CodeQL-Build:
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['actions', 'csharp']

    runs-on: ubuntu-latest

@@ -32,18 +28,19 @@ jobs:

    steps:
    - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v2
      with:
-        dotnet-version: 9.0.100
+        dotnet-version: 6.0.202

    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@main
+      # Override language selection by uncommenting this and choosing your languages
      with:
-        languages: ${{ matrix.language }}
+        languages: csharp
        config-file: ./.github/codeql/codeql-config.yml

    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
@@ -59,9 +56,7 @@ jobs:
    #    uses a compiled language

    - run: |
-       cd csharp
-       dotnet tool restore
-       dotnet build .
+       dotnet build csharp

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@main
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -7,22 +7,13 @@ on:
      - "rc/*"
      - "codeql-cli-*"
  pull_request:
-    paths:
-      - '**.ql'
-      - '**.qll'
-      - '**/qlpack.yml'
-      - '**.dbscheme'
-
-permissions:
-  contents: read

 jobs:
  compile-queries:
-    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
        with:
@@ -33,14 +24,14 @@ jobs:
        with: 
          key: all-queries
      - name: check formatting
-        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 codeql query format --check-only
      - name: compile queries - check-only
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
      - name: compile queries - full
        # do full compile if running on main - this populates the cache
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
--- a/.github/workflows/cpp-swift-analysis.yml
+++ b/.github/workflows/cpp-swift-analysis.yml
@@ -1,53 +0,0 @@
-name: "Code scanning - C++"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - 'swift/**'
-      - '.github/codeql/**'
-      - '.github/workflows/cpp-swift-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 1'
-
-jobs:
-  CodeQL-Build:
-
-    runs-on: ubuntu-24.04
-
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
-      with:
-        languages: cpp
-        config-file: ./.github/codeql/codeql-config.yml
-
-    - name: Install dependencies
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y uuid-dev
-
-    - name: "Build Swift extractor using Bazel"
-      run: |
-        bazel clean --expunge
-        bazel run //swift:install --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local
-        bazel shutdown
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -5,10 +5,8 @@ on:
    paths:
      - "csharp/**"
      - "shared/**"
-      - "misc/bazel/**"
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
-      - "MODULE.bazel"
    branches:
      - main
      - "rc/*"
@@ -16,11 +14,9 @@ on:
    paths:
      - "csharp/**"
      - "shared/**"
-      - "misc/bazel/**"
      - .github/workflows/csharp-qltest.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
-      - "MODULE.bazel"
    branches:
      - main
      - "rc/*"
@@ -29,43 +25,62 @@ defaults:
  run:
    working-directory: csharp

-permissions:
-  contents: read
-
 jobs:
-  unit-tests:
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-2019]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: 9.0.100
-      - name: Extractor unit tests
-        run: |
-          dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
-        shell: bash
-  stubgentest:
+  qlupgrade:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: ./csharp/actions/create-extractor-pack
-      - name: Run stub generator tests
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
+      - name: Check DB upgrade scripts
        run: |
-          # Generate (Asp)NetCore stubs
-          STUBS_PATH=stubs_output
-          python3 scripts/stubs/make_stubs_nuget.py webapp Swashbuckle.AspNetCore.Swagger 6.5.0 "$STUBS_PATH"
-          rm -rf ql/test/resources/stubs/_frameworks
-          # Update existing stubs in the repo with the freshly generated ones
-          mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
-          git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          echo >empty.trap
+          codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql dataset upgrade testdb --additional-packs ql/lib
+          diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
+      - name: Check DB downgrade scripts
+        run: |
+          echo >empty.trap
+          rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
+          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
+           --dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
+           xargs codeql execute upgrades testdb
+          diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
+  qltest:
+    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        slice: ["1/2", "2/2"]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./csharp/actions/create-extractor-pack
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: csharp-qltest-${{ matrix.slice }}
+      - name: Run QL tests
+        run: |
+          CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
+          # The legacy ASP extractor is not in this repo, so take the one from the nightly build
+          mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
+          # Safe guard against using the bundled extractor
+          rm -rf "$CODEQL_PATH/csharp"
+          codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path "${{ github.workspace }}/csharp/extractor-pack" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
        env:
          GITHUB_TOKEN: ${{ github.token }}
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup dotnet
+        uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: 6.0.202
+      - name: Extractor unit tests
+        run: |
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Util.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/extractor/Semmle.Extraction.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests"
+          dotnet test -p:RuntimeFrameworkVersion=6.0.4 "${{ github.workspace }}/cpp/autobuilder/Semmle.Autobuild.Cpp.Tests"
--- a/.github/workflows/csv-coverage-metrics.yml
+++ b/.github/workflows/csv-coverage-metrics.yml
@@ -14,16 +14,12 @@ on:
      - ".github/workflows/csv-coverage-metrics.yml"
      - ".github/actions/fetch-codeql/action.yml"

-permissions:
-  contents: read
-  security-events: write
-
 jobs:
  publish-java:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
@@ -37,7 +33,7 @@ jobs:
        run: |
          DATABASE="${{ runner.temp }}/java-database"
          codeql database analyze --format=sarif-latest --output=metrics-java.sarif -- "$DATABASE" ./java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: metrics-java.sarif
          path: metrics-java.sarif
@@ -51,7 +47,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
@@ -64,7 +60,7 @@ jobs:
        run: |
          DATABASE="${{ runner.temp }}/csharp-database"
          codeql database analyze --format=sarif-latest --output=metrics-csharp.sarif -- "$DATABASE" ./csharp/ql/src/Metrics/Summaries/FrameworkCoverage.ql
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: metrics-csharp.sarif
          path: metrics-csharp.sarif
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -10,7 +10,6 @@ on:
      - "*/ql/src/**/*.qll"
      - "*/ql/lib/**/*.ql"
      - "*/ql/lib/**/*.qll"
-      - "*/ql/lib/ext/**/*.yml"
      - "misc/scripts/library-coverage/*.py"
      # input data files
      - "*/documentation/library-coverage/cwe-sink.csv"
@@ -19,10 +18,6 @@ on:
      - main
      - "rc/*"

-permissions:
-  contents: read
-  pull-requests: read
-
 jobs:
  generate:
    name: Generate framework coverage artifacts
@@ -35,11 +30,11 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: merge
      - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          fetch-depth: 2
          path: base
@@ -71,21 +66,21 @@ jobs:
        run: |
          python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
      - name: Upload CSV package list
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: csv-framework-coverage-merge
          path: |
            out_merge/framework-coverage-*.csv
            out_merge/framework-coverage-*.rst
      - name: Upload CSV package list
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: csv-framework-coverage-base
          path: |
            out_base/framework-coverage-*.csv
            out_base/framework-coverage-*.rst
      - name: Upload comparison results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: comparison
          path: |
@@ -93,32 +88,9 @@ jobs:
      - name: Save PR number
        run: |
          mkdir -p pr
-          echo ${PR_NUMBER} > pr/NR
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          echo ${{ github.event.pull_request.number }} > pr/NR
      - name: Upload PR number
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: pr
          path: pr/
-      - name: Save comment ID (if it exists)
-        run: |
-          # Find the latest comment starting with COMMENT_PREFIX
-          COMMENT_PREFIX=":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports."
-          COMMENT_ID=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate | jq --arg prefix "${COMMENT_PREFIX}" 'map(select(.body|startswith($prefix)) | .id) | max // empty')
-          if [[ -z ${COMMENT_ID} ]]
-          then
-            echo "Comment not found. Not uploading 'comment/ID' artifact."
-          else
-            mkdir -p comment
-            echo ${COMMENT_ID} > comment/ID
-          fi
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-      - name: Upload comment ID (if it exists)
-        uses: actions/upload-artifact@v4
-        with:
-          name: comment
-          path: comment/
-          if-no-files-found: ignore
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -6,10 +6,6 @@ on:
    types:
      - completed

-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
  check:
    name: Check framework coverage differences and comment
@@ -24,7 +20,7 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
    - name: Set up Python 3.8
      uses: actions/setup-python@v4
      with:
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -3,20 +3,17 @@ name: Build framework coverage timeseries reports
 on:
  workflow_dispatch:

-permissions:
-  contents: read
-
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: codeqlModels
          fetch-depth: 0
@@ -30,7 +27,7 @@ jobs:
        run: |
          python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
      - name: Upload timeseries CSV
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: framework-coverage-timeseries
          path: framework-coverage-timeseries-*.csv
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -5,10 +5,6 @@ on:
  schedule:
    - cron: "0 0 * * *"

-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
  update:
    name: Update framework coverage report
@@ -21,7 +17,7 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: ql
          fetch-depth: 0
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -7,20 +7,17 @@ on:
        description: "github/codeql repo SHA used for looking up the CSV models"
        required: false

-permissions:
-  contents: read
-
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: codeqlModels
          ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
@@ -34,12 +31,12 @@ jobs:
        run: |
          python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
      - name: Upload CSV package list
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: framework-coverage-csv
          path: framework-coverage-*.csv
      - name: Upload RST package list
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: framework-coverage-rst
          path: framework-coverage-*.rst
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -1,51 +0,0 @@
-# Fast-forwards the branch specified in BRANCH_NAME
-# to the github.ref/sha that this workflow is run on.
-# Used as part of the release process, to ensure
-# external query writers can always access a branch of github/codeql
-# that is compatible with the latest stable release.
-name: Fast-forward tracking branch for selected CodeQL version
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-jobs:
-  fast-forward:
-    name: Fast-forward tracking branch for selected CodeQL version
-    runs-on: ubuntu-latest
-    if: github.repository == 'github/codeql'
-    env:
-      BRANCH_NAME: 'lgtm.com'
-    steps:
-      - name: Validate chosen branch
-        if: ${{ !startsWith(github.ref_name, 'codeql-cli-') }}
-        shell: bash
-        run: |
-          echo "::error ::The $BRANCH_NAME tracking branch should only be fast-forwarded to the tip of a codeql-cli-* branch, got $GITHUB_REF_NAME instead."
-          exit 1
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Git config
-        shell: bash
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-      - name: Fetch
-        shell: bash
-        run: |
-          set -x
-          echo "Fetching $BRANCH_NAME"
-          # Explicitly unshallow and fetch to ensure the remote ref is available.
-          git fetch --unshallow origin "$BRANCH_NAME"
-          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
-
-      - name: Fast-forward
-        shell: bash
-        run: |
-          echo "Fast-forwarding $BRANCH_NAME to ${GITHUB_REF}@${GITHUB_SHA}"
-          git merge --ff-only "$GITHUB_SHA"
-          git push origin "$BRANCH_NAME"
--- a/.github/workflows/go-tests-other-os.yml
+++ b/.github/workflows/go-tests-other-os.yml
@@ -3,34 +3,78 @@ on:
  pull_request:
    paths:
      - "go/**"
-      - "!go/documentation/**"
      - "!go/ql/**" # don't run other-os if only ql/ files changed
      - .github/workflows/go-tests-other-os.yml
      - .github/actions/**
      - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
-
-permissions:
-  contents: read
-
 jobs:
  test-mac:
    name: Test MacOS
    runs-on: macos-latest
    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+        id: go
+
      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
+        uses: actions/checkout@v2
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: go-qltest
+      - name: Test
+        run: |
+          cd go
+          make test cache="${{ steps.query-cache.outputs.cache-dir }}"

  test-win:
-    if: github.repository_owner == 'github'
    name: Test Windows
    runs-on: windows-latest-xl
    steps:
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+        id: go
+
      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
+        uses: actions/checkout@v2
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: go-qltest
+
+      - name: Test
+        run: |
+          cd go
+          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
--- a/.github/workflows/go-tests-rtjo.yml
+++ b/.github/workflows/go-tests-rtjo.yml
@@ -1,22 +0,0 @@
-name: "Go: Run RTJO Tests"
-on:
-  pull_request:
-    types:
-      - labeled
-
-permissions:
-  contents: read
-
-jobs:
-  test-linux:
-    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
-    name: RTJO Test Linux (Ubuntu)
-    runs-on: ubuntu-latest-xl
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
-        with:
-          run-code-checks: true
-          dynamic-join-order-mode: all
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -3,8 +3,6 @@ on:
  push:
    paths:
      - "go/**"
-      - "!go/documentation/**"
-      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
@@ -14,27 +12,58 @@ on:
  pull_request:
    paths:
      - "go/**"
-      - "!go/documentation/**"      
-      - "shared/**"
      - .github/workflows/go-tests.yml
      - .github/actions/**
      - codeql-workspace.yml
-      - MODULE.bazel
-      - .bazelrc
-      - misc/bazel/**
-
-permissions:
-  contents: read
-
 jobs:
  test-linux:
-    if: github.repository_owner == 'github'
    name: Test Linux (Ubuntu)
    runs-on: ubuntu-latest-xl
    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
+      - name: Set up Go 1.19
+        uses: actions/setup-go@v3
        with:
-          run-code-checks: true
+          go-version: 1.19
+        id: go
+
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Set up CodeQL CLI
+        uses: ./.github/actions/fetch-codeql
+
+      - name: Enable problem matchers in repository
+        shell: bash
+        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
+
+      - name: Build
+        run: |
+          cd go
+          make
+
+      - name: Check that all Go code is autoformatted
+        run: |
+          cd go
+          make check-formatting
+
+      - name: Compile qhelp files to markdown
+        run: |
+          cd go
+          env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
+
+      - name: Upload qhelp markdown
+        uses: actions/upload-artifact@v3
+        with:
+          name: qhelp-markdown
+          path: go/qhelp-out/**/*.md
+
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with:
+          key: go-qltest
+
+      - name: Test
+        run: |
+          cd go
+          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
--- a/.github/workflows/js-ml-tests.yml
+++ b/.github/workflows/js-ml-tests.yml
@@ -0,0 +1,65 @@
+name: JS ML-powered queries tests
+
+on:
+  push:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+      - .github/workflows/js-ml-tests.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+    branches:
+      - main
+      - "rc/*"
+  pull_request:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/**"
+      - .github/workflows/js-ml-tests.yml
+      - .github/actions/fetch-codeql/action.yml
+      - codeql-workspace.yml
+  workflow_dispatch:
+
+defaults:
+  run:
+    working-directory: javascript/ql/experimental/adaptivethreatmodeling
+
+jobs:
+  qltest:
+    name: Test QL
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/fetch-codeql
+
+      - name: Install pack dependencies
+        run: |
+          for pack in modelbuilding src test; do
+            codeql pack install --mode verify -- "${pack}"
+          done
+      
+      - name: Cache compilation cache
+        id: query-cache
+        uses: ./.github/actions/cache-query-compilation
+        with: 
+          key: js-ml-test
+
+      - name: Check QL compilation
+        run: |
+          codeql query compile \
+            --check-only \
+            --ram 50000 \
+            --additional-packs "${{ github.workspace }}" \
+            --threads=0 \
+            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
+            -- \
+            lib modelbuilding src
+
+      - name: Run QL tests
+        run: |
+          codeql test run \
+            --threads=0 \
+            --ram 50000 \
+            --additional-packs "${{ github.workspace }}" \
+            --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" \
+            -- \
+            test
--- a/.github/workflows/kotlin-build.yml
+++ b/.github/workflows/kotlin-build.yml
@@ -1,28 +0,0 @@
-name: "Kotlin Build"
-
-on:
-  pull_request:
-    paths:
-      - "java/kotlin-extractor/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "*.bazel*"
-      - .github/workflows/kotlin-build.yml
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          bazel query //java/kotlin-extractor/...
-          # only build the default version as a quick check that we can build from `codeql`
-          # the full official build will be checked by QLucie
-          bazel build //java/kotlin-extractor
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,12 +2,11 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target

-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
  triage:
+    permissions:
+      contents: read
+      pull-requests: write
    runs-on: ubuntu-latest
    steps:
    - uses: actions/labeler@v4
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -11,8 +11,7 @@ on:
    branches:
      - main
    paths:
-      - "java/ql/src/utils/modelgenerator/**/*.*"
-      - "misc/scripts/models-as-data/*.*"
+      - "java/ql/src/utils/model-generator/**/*.*"
      - ".github/workflows/mad_modelDiff.yml"

 permissions:
@@ -28,31 +27,25 @@ jobs:
        slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
    steps:
      - name: Clone github/codeql from PR
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        if: github.event.pull_request
        with:
          path: codeql-pr
      - name: Clone github/codeql from main
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: codeql-main
          ref: main
      - uses: ./codeql-main/.github/actions/fetch-codeql
-      # compute the shortname of the project that does not contain any special (disk) characters
-      - run: |
-          echo "SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}" >> $GITHUB_OUTPUT
-        env: 
-          SLUG: ${{ matrix.slug }}
-        id: shortname
      - name: Download database
        env:
          SLUG: ${{ matrix.slug }}
-          GH_TOKEN: ${{ github.token }}
-          SHORTNAME: ${{ steps.shortname.outputs.SHORTNAME }}
        run: |
          set -x
          mkdir lib-dbs
-          gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip"
+          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
+          projectId=`curl -s https://lgtm.com/api/v1.0/projects/g/${SLUG} | jq .id`
+          curl -L "https://lgtm.com/api/v1.0/snapshots/$projectId/java" -o "$SHORTNAME.zip"
          unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
          mkdir "lib-dbs/$SHORTNAME/"
          mv "${SHORTNAME}-db/"$(ls -1 "${SHORTNAME}"-db)/* "lib-dbs/${SHORTNAME}/"
@@ -68,9 +61,8 @@ jobs:
            DATABASE=$2
            cd codeql-$QL_VARIANT
            SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
-            mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            python java/ql/src/utils/model-generator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE ${SHORTNAME}.temp.model.yml
+            mv java/ql/lib/ext/generated/${SHORTNAME}.temp.model.yml $MODELS/${SHORTNAME}Generated_${QL_VARIANT}.model.yml
            cd ..
          }

@@ -93,21 +85,19 @@ jobs:
          set -x
          MODELS=`pwd`/tmp-models
          ls -1 tmp-models/
-          for m in $MODELS/*/main/*.model.yml ; do
+          for m in $MODELS/*_main.model.yml ; do
            t="${m/main/"pr"}"
            basename=`basename $m`
-            name="diff_${basename/.model.yml/""}"
+            name="diff_${basename/_main.model.yml/""}"
            (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
          done
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
-          name: models-${{ steps.shortname.outputs.SHORTNAME }}
-          path: tmp-models/**/**/*.model.yml
+          name: models
+          path: tmp-models/*.model.yml
          retention-days: 20
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
-          name: diffs-${{ steps.shortname.outputs.SHORTNAME }}
+          name: diffs
          path: tmp-models/*.html
-          # An html file is only produced if the generated models differ.
-          if-no-files-found: ignore
          retention-days: 20
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -11,9 +11,6 @@ on:
      - ".github/workflows/mad_regenerate-models.yml"
      - ".github/actions/fetch-codeql/action.yml"

-permissions:
-  contents: read
-
 jobs:
  regenerate-models:
    runs-on: ubuntu-latest
@@ -30,11 +27,11 @@ jobs:
            ref: "placeholder"
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Setup CodeQL binaries
        uses: ./.github/actions/fetch-codeql
      - name: Clone repositories
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          path: repos/${{ matrix.ref }}
          ref: ${{ matrix.ref }}
@@ -53,13 +50,13 @@ jobs:
          SLUG: ${{ matrix.slug }}
        run: |
          SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
-          java/ql/src/utils/modelgenerator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
+          java/ql/src/utils/model-generator/RegenerateModels.py "${SLUG}" dbs/${SHORTNAME}
      - name: Stage changes
        run: |
          find java -name "*.model.yml" -print0 | xargs -0 git add
          git status
          git diff --cached > models.patch
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: patch
          path: models.patch
--- a/.github/workflows/post-pr-comment.yml
+++ b/.github/workflows/post-pr-comment.yml
@@ -17,11 +17,8 @@ jobs:
  post_comment:
    runs-on: ubuntu-latest
    steps:
-      - name: Download artifacts
-        run: |
-          gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment-pr-number"
-          gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment-body"
-          gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment-id"
+      - name: Download artifact
+        run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment"
        env:
          GITHUB_TOKEN: ${{ github.token }}
          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -36,14 +36,14 @@ jobs:
      - run: echo "${PR_NUMBER}" > pr_number.txt
        env:
          PR_NUMBER: ${{ github.event.number }}
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
-          name: comment-pr-number
+          name: comment
          path: pr_number.txt
          if-no-files-found: error
          retention-days: 1

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
          persist-credentials: false
@@ -77,10 +77,10 @@ jobs:
          done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt
          exit "${EXIT_CODE}"

-      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+      - if: always()
+        uses: actions/upload-artifact@v3
        with:
-          name: comment-body
+          name: comment
          path: comment_body.txt
          if-no-files-found: error
          retention-days: 1
@@ -94,9 +94,9 @@ jobs:
          GITHUB_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.number }}

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
-          name: comment-id
+          name: comment
          path: comment_id.txt
          if-no-files-found: error
          retention-days: 1
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -5,77 +5,161 @@ on:
    branches: [main]
  pull_request:
    branches: [main]
+    paths:
+      - "ql/**"
+      - "**.qll"
+      - "**.ql"
+      - "**.dbscheme"
+      - "**/qlpack.yml"
+      - ".github/workflows/ql-for-ql-build.yml"

 env:
  CARGO_TERM_COLOR: always

-permissions:
-  contents: read
-  security-events: write
-
 jobs:
  analyze:
-    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    steps:
      ### Build the queries ###
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+      - uses: actions/checkout@v3
+      - name: Find latest bundle
+        id: find-latest-bundle
+        uses: ./.github/actions/find-latest-bundle
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@main
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
        with:
          languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
+          tools: ${{ steps.find-latest-bundle.outputs.url }}
+      - name: Get CodeQL version
+        id: get-codeql-version
+        run: |
+          echo "version=$("${CODEQL}" --version | head -n 1 | rev | cut -d " " -f 1 | rev)" >> $GITHUB_OUTPUT
+        shell: bash
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Cache entire pack
+        id: cache-pack
+        uses: actions/cache@v3
+        with:
+          path: ${{ runner.temp }}/pack
+          key: ${{ runner.os }}-pack-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
+      - name: Cache queries
+        if: steps.cache-pack.outputs.cache-hit != 'true'
+        id: cache-queries
+        uses: actions/cache@v3
+        with:
+          path: ${{ runner.temp }}/queries
+          key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/**/qlpack.yml') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }}--${{ hashFiles('.github/workflows/ql-for-ql-build.yml') }}
+      - name: Build query pack
+        if: steps.cache-queries.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
+        run: |
+          cd ql/ql/src
+          "${CODEQL}" pack create -j 16
+          mv .codeql/pack/codeql/ql/0.0.0 ${{ runner.temp }}/queries
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+      - name: Move cache queries to pack
+        if: steps.cache-pack.outputs.cache-hit != 'true'
+        run: |
+          cp -r ${{ runner.temp }}/queries ${{ runner.temp }}/pack
+        env:
+          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
+
      ### Build the extractor ###
      - name: Cache entire extractor
+        if: steps.cache-pack.outputs.cache-hit != 'true'
        id: cache-extractor
        uses: actions/cache@v3
        with:
          path: |
-            ql/extractor-pack/
-            ql/target/release/buramu
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ql/**/*.rs') }}
+            ql/target/release/ql-autobuilder
+            ql/target/release/ql-autobuilder.exe
+            ql/target/release/ql-extractor
+            ql/target/release/ql-extractor.exe
+          key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }}
      - name: Cache cargo
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
        uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+      - name: Check formatting
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
+        run: cd ql; cargo fmt --all -- --check
+      - name: Build
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
+        run: cd ql; cargo build --verbose
+      - name: Run tests
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
+        run: cd ql; cargo test --verbose
      - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd ql; ./scripts/create-extractor-pack.sh
-        env:
-          GH_TOKEN: ${{ github.token }}
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: run-ql-for-ql
-      - name: Make database and analyze
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
+        run: cd ql; cargo build --release
+      - name: Generate dbscheme
+        if: steps.cache-extractor.outputs.cache-hit != 'true' && steps.cache-pack.outputs.cache-hit != 'true'
+        run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
+
+      ### Package the queries and extractor ###
+      - name: Package pack
+        if: steps.cache-pack.outputs.cache-hit != 'true'
        run: |
-          ./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse.
-          ${CODEQL} database create -l=ql ${DB} --search-path "${{ github.workspace }}"
-          ${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls  --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats ${PACK}/
+          mkdir -p ${PACK}/tools/linux64
+          cp ql/target/release/ql-autobuilder  ${PACK}/tools/linux64/autobuilder
+          cp ql/target/release/ql-extractor ${PACK}/tools/linux64/extractor
+          chmod +x ${PACK}/tools/linux64/autobuilder
+          chmod +x ${PACK}/tools/linux64/extractor
        env:
-          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-          DB: ${{ runner.temp }}/DB
-          LGTM_INDEX_FILTERS: |
-            exclude:ql/ql/test
-            exclude:*/ql/lib/upgrades/
-            exclude:java/ql/integration-tests
-      - name: Upload sarif to code-scanning
-        uses: github/codeql-action/upload-sarif@main
+          PACK: ${{ runner.temp }}/pack
+
+      ### Run the analysis ###
+      - name: Hack codeql-action options
+        run: |
+          JSON=$(jq -nc --arg pack "${PACK}" '.database."run-queries"=["--search-path", $pack] | .resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .resolve.languages=["--search-path", $pack] | .database.init=["--search-path", $pack]')
+          echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
+        env:
+          PACK: ${{ runner.temp }}/pack
+
+      - name: Create CodeQL config file
+        run: |
+          echo "paths-ignore:" >> ${CONF}
+          echo "  - ql/ql/test" >> ${CONF}
+          echo "  - \"*/ql/lib/upgrades/\"" >> ${CONF}
+          echo "disable-default-queries: true" >> ${CONF}
+          echo "queries:" >> ${CONF}
+          echo "  - uses: ./ql/ql/src/codeql-suites/ql-code-scanning.qls" >> ${CONF}
+          echo "Config file: "
+          cat ${CONF}
+        env:
+          CONF: ./ql-for-ql-config.yml
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
        with:
-          sarif_file: ql-for-ql.sarif
-          category: ql-for-ql
+          languages: ql
+          db-location: ${{ runner.temp }}/db
+          config-file: ./ql-for-ql-config.yml
+          tools: ${{ steps.find-latest-bundle.outputs.url }}
+      - name: Move pack cache
+        run: |
+          cp -r ${PACK}/.cache ql/ql/src/.cache
+        env:
+          PACK: ${{ runner.temp }}/pack
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
+        with:
+          category: "ql-for-ql"
+      - name: Copy sarif file to CWD
+        run: cp ../results/ql.sarif ./ql-for-ql.sarif
+      - name: Fixup the $scema in sarif  # Until https://github.com/microsoft/sarif-vscode-extension/pull/436/ is part in a stable release
+        run: |
+          sed -i 's/\$schema.*/\$schema": "https:\/\/raw.githubusercontent.com\/oasis-tcs\/sarif-spec\/master\/Schemata\/sarif-schema-2.1.0",/' ql-for-ql.sarif
      - name: Sarif as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: ql-for-ql.sarif
          path: ql-for-ql.sarif
@@ -84,8 +168,8 @@ jobs:
          mkdir split-sarif
          node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
      - name: Upload langs as artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
        with:
          name: ql-for-ql-langs
          path: split-sarif
-          retention-days: 1
+          retention-days: 1
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -11,10 +11,6 @@ on:
      - ql/ql/src/ql.dbscheme
  workflow_dispatch:

-permissions:
-  contents: read
-  security-events: read
-
 jobs:
  measure:
    env:
@@ -25,36 +21,34 @@ jobs:
          - github/codeql
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3

      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@main
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
        with:
          languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
      - name: Build Extractor
        run: cd ql; env "PATH=$PATH:`dirname ${CODEQL}`" ./scripts/create-extractor-pack.sh
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
      - name: Create database
        run: |
          "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}"
-          --threads 4 \
+            --search-path "ql/extractor-pack" \
+            --threads 4 \
            --language ql --source-root "${{ github.workspace }}/repo" \
            "${{ runner.temp }}/database"
        env:
@@ -65,7 +59,7 @@ jobs:
          "${CODEQL}" dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ql"
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: measurements
          path: stats
@@ -75,15 +69,15 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@v3
+      - uses: actions/download-artifact@v3
        with:
          name: measurements
          path: stats
      - run: |
          python -m pip install --user lxml
          find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ruby/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: ql.dbscheme.stats
          path: ql/ql/src/ql.dbscheme.stats
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -6,106 +6,44 @@ on:
    paths:
      - "ql/**"
      - codeql-workspace.yml
-      - .github/workflows/ql-for-ql-tests.yml
  pull_request:
    branches: [main]
    paths:
      - "ql/**"
      - codeql-workspace.yml
-      - .github/workflows/ql-for-ql-tests.yml

 env:
  CARGO_TERM_COLOR: always

-permissions:
-  contents: read
-
 jobs:
  qltest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Find codeql
        id: find-codeql
-        uses: github/codeql-action/init@main
+        uses: github/codeql-action/init@77a8d2d10c0b403a8b4aadbd223dc489ecd22683
        with:
          languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
-      - name: Check formatting
-        run: cd ql; cargo fmt -- --check
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
      - name: Build extractor
        run: |
          cd ql;
          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: ql-for-ql-tests
      - name: Run QL tests
        run: |
-          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
+          "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries ql/ql/test
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-
-  other-os:
-    strategy:
-      matrix:
-        os: [macos-latest, windows-latest]
-    needs: [qltest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install GNU tar
-        if: runner.os == 'macOS'
+      - name: Check QL formatting
        run: |
-          brew install gnu-tar
-          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - name: Find codeql
-        id: find-codeql
-        uses: github/codeql-action/init@main
-        with:
-          languages: javascript # does not matter
-      - uses: ./.github/actions/os-version
-        id: os_version
-      - uses: actions/cache@v3
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            ql/target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
-      - name: Build extractor
-        if: runner.os != 'Windows'
-        run: |
-          cd ql;
-          codeqlpath=$(dirname ${{ steps.find-codeql.outputs.codeql-path }});
-          env "PATH=$PATH:$codeqlpath" ./scripts/create-extractor-pack.sh
-      - name: Build extractor (Windows)
-        if: runner.os == 'Windows'
-        shell: pwsh
-        run: |
-          cd ql;
-          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
-          pwsh ./scripts/create-extractor-pack.ps1
-      - name: Run a single QL tests - Unix
-        if: runner.os != 'Windows'
-        run: |
-          "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
+          find ql/ql/src "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 "${CODEQL}" query format --check-only
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
-      - name: Run a single QL tests - Windows
-        if: runner.os == 'Windows'
-        shell: pwsh
-        run: |
-          $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
-          codeql test run --check-databases --search-path "${{ github.workspace }}" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -13,9 +13,6 @@ on:
      - '.github/actions/fetch-codeql/action.yml'
      - 'misc/scripts/generate-code-scanning-query-list.py'

-permissions:
-  contents: read
-
 jobs:
  build:

@@ -23,7 +20,7 @@ jobs:

    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
      with:
        path: codeql 
    - name: Set up Python 3.8
@@ -37,7 +34,7 @@ jobs:
      run: |
        python codeql/misc/scripts/generate-code-scanning-query-list.py > code-scanning-query-list.csv
    - name: Upload code scanning query list
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        name: code-scanning-query-list
        path: code-scanning-query-list.csv
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -7,7 +7,6 @@ on:
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
-      - "shared/tree-sitter-extractor/**"
    branches:
      - main
      - "rc/*"
@@ -17,7 +16,6 @@ on:
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
-      - "shared/tree-sitter-extractor/**"
    branches:
      - main
      - "rc/*"
@@ -34,9 +32,6 @@ defaults:
  run:
    working-directory: ruby

-permissions:
-  contents: read
-
 jobs:
  build:
    strategy:
@@ -47,119 +42,112 @@ jobs:
    runs-on: ${{ matrix.os }}

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
          brew install gnu-tar
          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - name: Prepare Windows
-        if: runner.os == 'Windows'
-        shell: powershell
-        run: |
-          git config --global core.longpaths true
-      - uses: ./.github/actions/os-version
-        id: os_version
      - name: Cache entire extractor
        uses: actions/cache@v3
        id: cache-extractor
        with:
          path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
-            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
+            ruby/target/release/ruby-autobuilder
+            ruby/target/release/ruby-autobuilder.exe
+            ruby/target/release/ruby-extractor
+            ruby/target/release/ruby-extractor.exe
+            ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+          key: ${{ runner.os }}-ruby-extractor-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}--${{ hashFiles('ruby/**/*.rs') }}
      - uses: actions/cache@v3
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
-            target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
+            ruby/target
+          key: ${{ runner.os }}-ruby-rust-cargo-${{ hashFiles('ruby/rust-toolchain.toml', 'ruby/**/Cargo.lock') }}
      - name: Check formatting
        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo fmt -- --check
+        run: cargo fmt --all -- --check
      - name: Build
        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo build --verbose
+        run: cargo build --verbose
      - name: Run tests
        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo test --verbose
+        run: cargo test --verbose
      - name: Release build
        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo build --release
+        run: cargo build --release
      - name: Generate dbscheme
        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v4
+        run: target/release/ruby-generator --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v3
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
          name: ruby.dbscheme
          path: ruby/ql/lib/ruby.dbscheme
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        if: ${{ matrix.os == 'ubuntu-latest' }}
        with:
          name: TreeSitter.qll
          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: extractor-${{ matrix.os }}
          path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
+            ruby/target/release/ruby-autobuilder
+            ruby/target/release/ruby-autobuilder.exe
+            ruby/target/release/ruby-extractor
+            ruby/target/release/ruby-extractor.exe
          retention-days: 1
  compile-queries:
-    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
-        with:
+        with: 
          key: ruby-build
      - name: Build Query Pack
        run: |
-          PACKS=${{ runner.temp }}/query-packs
-          rm -rf $PACKS
-          codeql pack create ../misc/suite-helpers --output "$PACKS"
-          codeql pack create ../shared/regex --output "$PACKS"
-          codeql pack create ../shared/ssa --output "$PACKS"
-          codeql pack create ../shared/tutorial --output "$PACKS"
-          codeql pack create ql/lib --output "$PACKS"
-          codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-          PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
+          rm -rf target/packs
+          codeql pack create ../shared/ssa --output target/packs
+          codeql pack create ../misc/suite-helpers --output target/packs
+          codeql pack create ../shared/regex --output target/packs
+          codeql pack create ql/lib --output target/packs
+          codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)
          codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: codeql-ruby-queries
          path: |
-            ${{ runner.temp }}/query-packs/*
+            ruby/target/packs/*
          retention-days: 1
-          include-hidden-files: true

  package:
    runs-on: ubuntu-latest
    needs: [build, compile-queries]
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@v3
+      - uses: actions/download-artifact@v3
        with:
          name: ruby.dbscheme
          path: ruby/ruby
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
        with:
          name: extractor-ubuntu-latest
          path: ruby/linux64
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
        with:
          name: extractor-windows-latest
          path: ruby/win64
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
        with:
          name: extractor-macos-latest
          path: ruby/osx64
@@ -167,18 +155,20 @@ jobs:
          mkdir -p ruby
          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
          mkdir -p ruby/tools/{linux64,osx64,win64}
-          cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
-          cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
-          cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
-          chmod +x ruby/tools/{linux64,osx64}/extractor
+          cp linux64/ruby-autobuilder ruby/tools/linux64/autobuilder
+          cp osx64/ruby-autobuilder ruby/tools/osx64/autobuilder
+          cp win64/ruby-autobuilder.exe ruby/tools/win64/autobuilder.exe
+          cp linux64/ruby-extractor ruby/tools/linux64/extractor
+          cp osx64/ruby-extractor ruby/tools/osx64/extractor
+          cp win64/ruby-extractor.exe ruby/tools/win64/extractor.exe
+          chmod +x ruby/tools/{linux64,osx64}/{autobuilder,extractor}
          zip -rq codeql-ruby.zip ruby
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: codeql-ruby-pack
          path: ruby/codeql-ruby.zip
          retention-days: 1
-          include-hidden-files: true
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
        with:
          name: codeql-ruby-queries
          path: ruby/qlpacks
@@ -190,12 +180,11 @@ jobs:
            ]
          }' > .codeqlmanifest.json
          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: codeql-ruby-bundle
          path: ruby/codeql-ruby-bundle.zip
          retention-days: 1
-          include-hidden-files: true

  test:
    defaults:
@@ -209,27 +198,43 @@ jobs:
    runs-on: ${{ matrix.os }}
    needs: [package]
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql

+      - uses: actions/checkout@v3
+        with:
+          repository: Shopify/example-ruby-app
+          ref: 67a0decc5eb550f3a9228eda53925c3afd40dfe9
+
      - name: Download Ruby bundle
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
        with:
          name: codeql-ruby-bundle
          path: ${{ runner.temp }}
      - name: Unzip Ruby bundle
        shell: bash
        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-
+      - name: Prepare test files
+        shell: bash
+        run: |
+          echo "import codeql.ruby.AST select count(File f)" > "test.ql"
+          echo "| 4 |" > "test.expected"
+          echo 'name: sample-tests
+          version: 0.0.0
+          dependencies:
+            codeql/ruby-all: "*"
+          extractor: ruby
+          tests: .
+          ' > qlpack.yml
      - name: Run QL test
        shell: bash
        run: |
-          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
+          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" .
      - name: Create database
        shell: bash
        run: |
-          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
+          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root . ../database
      - name: Analyze database
        shell: bash
        run: |
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -17,9 +17,6 @@ on:
      - .github/workflows/ruby-dataset-measure.yml
  workflow_dispatch:

-permissions:
-  contents: read
-
 jobs:
  measure:
    env:
@@ -30,21 +27,21 @@ jobs:
        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3

      - uses: ./.github/actions/fetch-codeql

      - uses: ./ruby/actions/create-extractor-pack

      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
      - name: Create database
        run: |
          codeql database create \
-            --search-path "${{ github.workspace }}" \
+            --search-path "${{ github.workspace }}/ruby/extractor-pack" \
            --threads 4 \
            --language ruby --source-root "${{ github.workspace }}/repo" \
            "${{ runner.temp }}/database"
@@ -52,9 +49,9 @@ jobs:
        run: |
          mkdir -p "stats/${{ matrix.repo }}"
          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
-          name: measurements-${{ hashFiles('stats/**') }}
+          name: measurements
          path: stats
          retention-days: 1

@@ -62,14 +59,15 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@v3
+      - uses: actions/download-artifact@v3
        with:
+          name: measurements
          path: stats
      - run: |
          python -m pip install --user lxml
          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
        with:
          name: ruby.dbscheme.stats
          path: ruby/ql/lib/ruby.dbscheme.stats
--- a/.github/workflows/ruby-qltest-rtjo.yml
+++ b/.github/workflows/ruby-qltest-rtjo.yml
@@ -1,40 +0,0 @@
-name: "Ruby: Run RTJO Language Tests"
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - labeled
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-permissions:
-  contents: read
-
-jobs:
-  qltest-rtjo:
-    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: ruby-qltest
-      - name: Run QL tests
-        run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -4,7 +4,6 @@ on:
  push:
    paths:
      - "ruby/**"
-      - "shared/**"
      - .github/workflows/ruby-build.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
@@ -14,7 +13,6 @@ on:
  pull_request:
    paths:
      - "ruby/**"
-      - "shared/**"
      - .github/workflows/ruby-qltest.yml
      - .github/actions/fetch-codeql/action.yml
      - codeql-workspace.yml
@@ -29,14 +27,11 @@ defaults:
  run:
    working-directory: ruby

-permissions:
-  contents: read
-
 jobs:
  qlupgrade:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - uses: ./.github/actions/fetch-codeql
      - name: Check DB upgrade scripts
        run: |
@@ -53,21 +48,20 @@ jobs:
           xargs codeql execute upgrades testdb
          diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
  qltest:
-    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    strategy:
      fail-fast: false
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
-        with:
+        with: 
          key: ruby-qltest
      - name: Run QL tests
        run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
        env:
          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/rust-analysis.yml
+++ b/.github/workflows/rust-analysis.yml
@@ -1,64 +0,0 @@
-name: "Code scanning - Rust"
-
-on:
-  push:
-    branches:
-      - main
-      - 'rc/*'
-  pull_request:
-    branches:
-      - main
-      - 'rc/*'
-    paths:
-      - '**/*.rs'
-      - '**/Cargo.toml'
-      - '.github/codeql/codeql-config.yml'
-      - '.github/workflows/rust-analysis.yml'
-  schedule:
-    - cron: '0 9 * * 1'
-
-env:
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES: "true"
-
-jobs:
-  analyze:
-    strategy:
-      matrix:
-        language: [ 'rust' ]
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      security-events: write
-      pull-requests: read
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - name: Query latest nightly CodeQL bundle
-      shell: bash
-      id: codeql
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-      run: |
-        REPO=dsp-testing/codeql-cli-nightlies
-        TAG=$(
-          gh release list -R $REPO -L1 --exclude-drafts --json tagName -q ".[] | .tagName"
-        )
-        echo "nightly_bundle=https://github.com/$REPO/releases/download/$TAG/codeql-bundle-linux64.tar.zst" \
-          | tee -a "$GITHUB_OUTPUT"
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
-      with:
-        tools: ${{ steps.codeql.outputs.nightly_bundle }}
-        languages: ${{ matrix.language }}
-        config-file: ./.github/codeql/codeql-config.yml
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@main
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -1,80 +0,0 @@
-name: "Rust"
-
-on:
-  pull_request:
-    paths:
-      - "rust/**"
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "shared/**"
-      - "MODULE.bazel"
-      - .github/workflows/rust.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-      - "!**/*.md"
-      - "!**/*.qhelp"
-    branches:
-      - rust-experiment
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  rust-ast-generator:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: rust/ast-generator
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Inject sources
-        shell: bash
-        run: |
-          bazel run //rust/ast-generator:inject-sources
-      - name: Format
-        shell: bash
-        run: |
-          cargo fmt --check
-      - name: Compilation
-        shell: bash
-        run: cargo check
-      - name: Clippy
-        shell: bash
-        run: |
-          cargo clippy --no-deps -- -D warnings
-  rust-code:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: rust/extractor
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Format
-        shell: bash
-        run: |
-          cargo fmt --check
-      - name: Compilation
-        shell: bash
-        run: cargo check
-      - name: Clippy
-        shell: bash
-        run: |
-          cargo clippy --no-deps -- -D warnings
-  rust-codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install CodeQL
-        uses: ./.github/actions/fetch-codeql
-      - name: Code generation
-        shell: bash
-        run: |
-          bazel run //rust/codegen
-          git add .
-          git diff --exit-code HEAD
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -5,8 +5,6 @@ on:
    paths:
      - "swift/**"
      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "shared/**"
      - "*.bazel*"
      - .github/workflows/swift.yml
      - .github/actions/**
@@ -17,66 +15,89 @@ on:
    branches:
      - main
      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-defaults:
-  run:
-    shell: bash
-    working-directory: swift
+  push:
+    paths:
+      - "swift/**"
+      - "misc/bazel/**"
+      - "*.bazel*"
+      - .github/workflows/swift.yml
+      - .github/actions/**
+      - codeql-workspace.yml
+      - "!**/*.md"
+      - "!**/*.qhelp"
+    branches:
+      - main
+      - rc/*

 jobs:
-  build-and-test:
-    if: github.repository_owner == 'github'
-    strategy:
-      matrix:
-        runner: [ubuntu-latest, macos-13-xlarge]
-      fail-fast: false
-    runs-on: ${{ matrix.runner }}
+  # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
+  # without waiting for the macOS build
+  build-and-test-macos:
+    runs-on: macos-12-xl
    steps:
-      - uses: actions/checkout@v4
-      - name: Setup (Linux)
-        if: runner.os == 'Linux'
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y uuid-dev zlib1g-dev
-      - name: Build Swift extractor
-        shell: bash
-        run: |
-          bazel run :install
-      - name: Run Swift tests
-        shell: bash
-        run: |
-          bazel test ... --test_tag_filters=-override --test_output=errors
-  clang-format:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/build-and-test
+  build-and-test-linux:
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/build-and-test
+  qltests-linux:
+    needs: build-and-test-linux
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-ql-tests
+  qltests-macos:
+    if : ${{ github.event_name == 'pull_request' }}
+    needs: build-and-test-macos
+    runs-on: macos-12-xl
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-ql-tests
+  integration-tests-linux:
+    needs: build-and-test-linux
+    runs-on: ubuntu-latest-xl
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-integration-tests
+  integration-tests-macos:
+    if : ${{ github.event_name == 'pull_request' }}
+    needs: build-and-test-macos
+    runs-on: macos-12-xl
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./swift/actions/run-integration-tests
+  codegen:
+    if : ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+      - uses: actions/checkout@v3
+      - uses: bazelbuild/setup-bazelisk@v2
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'swift/.python-version'
+      - uses: pre-commit/action@v3.0.0
        name: Check that python code is properly formatted
        with:
-          extra_args: clang-format --all-files
-  codegen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
+          extra_args: autopep8 --all-files
      - uses: ./.github/actions/fetch-codeql
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+      - uses: pre-commit/action@v3.0.0
        name: Check that QL generated code was checked in
        with:
          extra_args: swift-codegen --all-files
      - name: Generate C++ files
        run: |
-          bazel run codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
-      - uses: actions/upload-artifact@v4
+          bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
+      - uses: actions/upload-artifact@v3
        with:
          name: swift-generated-cpp-files
          path: generated-cpp-files/**
-  check-no-override:
+  database-upgrade-scripts:
+    if : ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - name: Check that no override is present in load.bzl
-        run: bazel test ... --test_tag_filters=override --test_output=errors
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/fetch-codeql
+      - uses: ./swift/actions/database-upgrade-scripts
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -10,16 +10,11 @@ on:
      - main
      - 'rc/*'

-permissions:
-  contents: read
-
 jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: Check synchronized files
        run: python config/sync-files.py
-      - name: Check dbscheme fragments
-        run: python config/sync-dbscheme-fragments.py

--- a/.github/workflows/tree-sitter-extractor-test.yml
+++ b/.github/workflows/tree-sitter-extractor-test.yml
@@ -1,49 +0,0 @@
-name: Test tree-sitter-extractor
-
-on:
-  push:
-    paths:
-      - "shared/tree-sitter-extractor/**"
-      - .github/workflows/tree-sitter-extractor-test.yml
-    branches:
-      - main
-      - "rc/*"
-  pull_request:
-    paths:
-      - "shared/tree-sitter-extractor/**"
-      - .github/workflows/tree-sitter-extractor-test.yml
-    branches:
-      - main
-      - "rc/*"
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: shared/tree-sitter-extractor
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check formatting
-        run: cargo fmt -- --check
-      - name: Run tests
-        run: cargo test --verbose
-  fmt:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check formatting
-        run: cargo fmt --check
-  clippy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Run clippy
-        run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
--- a/.github/workflows/validate-change-notes.yml
+++ b/.github/workflows/validate-change-notes.yml
@@ -15,15 +15,12 @@ on:
      - ".github/workflows/validate-change-notes.yml"
      - ".github/actions/fetch-codeql/action.yml"

-permissions:
-  contents: read
-
 jobs:
  check-change-note:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3

      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
--- a/.github/workflows/zipmerge-test.yml
+++ b/.github/workflows/zipmerge-test.yml
@@ -1,23 +0,0 @@
-name: "Test zipmerge code"
-
-on:
-  pull_request:
-    paths:
-      - "misc/bazel/internal/zipmerge/**"
-      - "MODULE.bazel"
-      - ".bazelrc*"
-    branches:
-      - main
-      - "rc/*"
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          bazel test //misc/bazel/internal/zipmerge:test --test_output=all
--- a/.gitignore
+++ b/.gitignore
@@ -7,8 +7,8 @@
 .cache

 # qltest projects and artifacts
-*.actual
-*/ql/test*/**/*.testproj
+*/ql/test/**/*.testproj
+*/ql/test/**/*.actual
 */ql/test/**/go.sum

 # Visual studio temporaries, except a file used by QL4VS
@@ -39,9 +39,6 @@
 # local bazel options
 /local.bazelrc

-# generated cmake directory
-/.bazel-cmake
-
 # CLion project files
 /.clwb

@@ -62,12 +59,3 @@ node_modules/

 # Temporary folders for working with generated models
 .model-temp
-
-# bazel-built in-tree extractor packs
-/*/extractor-pack
-
-# Jetbrains IDE files
-.idea
-
-# cargo build directory
-/target
--- a/.lfsconfig
+++ b/.lfsconfig
@@ -1,7 +0,0 @@
-[lfs]
-# codeql is publicly forked by many users, and we don't want any LFS file polluting their working
-# copies. We therefore exclude everything by default.
-# For files required by bazel builds, use rules in `misc/bazel/lfs.bzl` to download them on demand.
-# we go for `fetchinclude` to something not exsiting rather than `fetchexclude = *` because the
-# former is easier to override (with `git -c` or a local git config) to fetch something specific
-fetchinclude = /nothing
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,38 +5,24 @@ repos:
    rev: v3.2.0
    hooks:
      - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)
      - id: end-of-file-fixer
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)

  - repo: https://github.com/pre-commit/mirrors-clang-format
-    rev: v17.0.6
+    rev: v13.0.1
    hooks:
      - id: clang-format
+        files: ^swift/.*\.(h|c|cpp)$

  - repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.4
+    rev: v1.6.0
    hooks:
      - id: autopep8
-        files: ^misc/codegen/.*\.py
+        files: ^swift/.*\.py

  - repo: local
    hooks:
-      - id: buildifier
-        name: Format bazel files
-        files: \.(bazel|bzl)
-        language: system
-        entry: bazel run //misc/bazel/buildifier
-        pass_filenames: false
-
-#      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
-#      - id: go-gen
-#        name: Check checked in generated files in go
-#        files: ^go/.*
-#        language: system
-#        entry: bazel run //go:gen
-#        pass_filenames: false
-
      - id: codeql-format
        name: Fix QL file formatting
        files: \.qll?$
@@ -45,7 +31,7 @@ repos:

      - id: sync-files
        name: Fix files required to be identical
-        files: \.(qll?|qhelp|swift|toml)$|^config/identical-files\.json$
+        files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
        language: system
        entry: python3 config/sync-files.py --latest
        pass_filenames: false
@@ -58,7 +44,7 @@ repos:

      - id: swift-codegen
        name: Run Swift checked in code generation
-        files: ^misc/codegen/|^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
+        files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
        language: system
        entry: bazel run //swift/codegen -- --quiet
        pass_filenames: false
@@ -67,19 +53,5 @@ repos:
        name: Run Swift code generation unit tests
        files: ^swift/codegen/.*\.py$
        language: system
-        entry: bazel test //misc/codegen/test
-        pass_filenames: false
-
-      - id: rust-codegen
-        name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
-        language: system
-        entry: bazel run //rust/codegen -- --quiet
-        pass_filenames: false
-
-      - id: rust-lint
-        name: Run fmt and clippy on Rust code
-        files: ^rust/extractor/(.*rs|Cargo.toml)$
-        language: system
-        entry: python3 rust/lint.py
+        entry: bazel test //swift/codegen/test
        pass_filenames: false
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,6 +1,5 @@
 {
  "omnisharp.autoStart": false,
  "cmake.sourceDirectory": "${workspaceFolder}/swift",
-  "cmake.buildDirectory": "${workspaceFolder}/bazel-cmake-build",
-  "editor.suggest.matchOnWordStartOnly": false
+  "cmake.buildDirectory": "${workspaceFolder}/bazel-cmake-build"
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -22,120 +22,6 @@
                "command": "${config:python.pythonPath}",
            },
            "problemMatcher": []
-        },
-        {
-            "label": "Accept .expected changes from CI",
-            "type": "process",
-            // Non-Windows OS will usually have Python 3 already installed at /usr/bin/python3.
-            "command": "python3",
-            "args": [
-                "misc/scripts/accept-expected-changes-from-ci.py"
-            ],
-            "group": "build",
-            "windows": {
-                // On Windows, use whatever Python interpreter is configured for this workspace. The default is
-                // just `python`, so if Python is already on the path, this will find it.
-                "command": "${config:python.pythonPath}",
-            },
-            "problemMatcher": []
-        },
-        {
-            "label": "Create query change note",
-            "type": "process",
-            "command": "python3",
-            "args": [
-                "misc/scripts/create-change-note.py",
-                "${input:language}",
-                "src",
-                "${input:name}",
-                "${input:categoryQuery}"
-            ],
-            "options": {
-                "env": {
-                    "EDITOR": "code -r",
-                }
-            },
-            "presentation": {
-                "reveal": "never",
-                "close": true
-            },
-            "problemMatcher": []
-        },
-                {
-            "label": "Create library change note",
-            "type": "process",
-            "command": "python3",
-            "args": [
-                "misc/scripts/create-change-note.py",
-                "${input:language}",
-                "lib",
-                "${input:name}",
-                "${input:categoryLibrary}"
-            ],
-            "options": {
-                "env": {
-                    "EDITOR": "code -r"
-                }
-            },
-            "presentation": {
-                "reveal": "never",
-                "close": true
-            },
-            "problemMatcher": []
-        }
-    ],
-    "inputs": [
-        {
-            "type": "pickString",
-            "id": "language",
-            "description": "Language",
-            "options":
-            [
-                "actions",
-                "go",
-                "java",
-                "javascript",
-                "cpp",
-                "csharp",
-                "python",
-                "ruby",
-                "rust",
-                "swift",
-            ]
-        },
-        {
-            "type": "promptString",
-            "id": "name",
-            "description": "Short name (kebab-case)"
-        },
-        {
-            "type": "pickString",
-            "id": "categoryQuery",
-            "description": "Category (query change)",
-            "options":
-            [
-                "breaking",
-                "deprecated",
-                "newQuery",
-                "queryMetadata",
-                "majorAnalysis",
-                "minorAnalysis",
-                "fix",
-            ]
-        },
-                {
-            "type": "pickString",
-            "id": "categoryLibrary",
-            "description": "Category (library change)",
-            "options":
-            [
-                "breaking",
-                "deprecated",
-                "feature",
-                "majorAnalysis",
-                "minorAnalysis",
-                "fix",
-            ]
        }
    ]
-}
+}
--- a/BUILD.bazel
+++ b/BUILD.bazel
@@ -1,5 +0,0 @@
-exports_files([
-    "LICENSE",
-    "Cargo.lock",
-    "Cargo.toml",
-])
--- a/24
+++ b/24
@@ -1,22 +1,16 @@
-/actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
 /go/ @github/codeql-go
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
 /ruby/ @github/codeql-ruby
-/rust/ @github/codeql-rust
 /swift/ @github/codeql-swift
-/misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
-/java/ql/test-kotlin1/ @github/codeql-kotlin
-/java/ql/test-kotlin2/ @github/codeql-kotlin
+/java/kotlin-explorer/ @github/codeql-kotlin

-# Experimental CodeQL cryptography
-**/experimental/quantum/ @github/ps-codeql
+# ML-powered queries
+/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers

 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
@@ -28,7 +22,7 @@
 /ql/ @github/codeql-ql-for-ql-reviewers

 # Bazel (excluding BUILD.bazel files)
-MODULE.bazel @github/codeql-ci-reviewers
+WORKSPACE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
 .bazelrc @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers
@@ -39,15 +33,9 @@ MODULE.bazel @github/codeql-ci-reviewers

 # Workflows
 /.github/workflows/ @github/codeql-ci-reviewers
+/.github/workflows/atm-* @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/go-* @github/codeql-go
+/.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
-/.github/workflows/rust.yml @github/codeql-rust
 /.github/workflows/swift.yml @github/codeql-swift
-
-# Misc
-/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
-/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
-
-# .devcontainer
-/.devcontainer/ @github/codeql-ci-reviewers
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,8 +4,6 @@ We welcome contributions to our CodeQL libraries and queries. Got an idea for a

 There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).

-Note that the CodeQL for Visual Studio Code documentation has been migrated to https://docs.github.com/en/code-security/codeql-for-vs-code/, but you can still contribute to it via a different repository. For more information, see [Contributing to GitHub Docs documentation](https://docs.github.com/en/contributing)."
-
 ## Change notes

 Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).
@@ -16,20 +14,17 @@ If you have an idea for a query that you would like to share with other CodeQL u

 1. **Directory structure**

-    There are eight language-specific query directories in this repository:
+    There are six language-specific query directories in this repository:

      * C/C++: `cpp/ql/src`
      * C#: `csharp/ql/src`
-      * Go: `go/ql/src`
-      * Java/Kotlin: `java/ql/src`
+      * Java: `java/ql/src`
      * JavaScript: `javascript/ql/src`
      * Python: `python/ql/src`
      * Ruby: `ruby/ql/src`
-      * Swift: `swift/ql/src`

    Each language-specific directory contains further subdirectories that group queries based on their `@tags` or purpose.
    - Experimental queries and libraries are stored in the `experimental` subdirectory within each language-specific directory in the [CodeQL repository](https://github.com/github/codeql). For example, experimental Java queries and libraries are stored in `java/ql/src/experimental` and any corresponding tests in `java/ql/test/experimental`.
-    - Experimental queries need to include `experimental` in their `@tags`
    - The structure of an `experimental` subdirectory mirrors the structure of its parent directory.
    - Select or create an appropriate directory in `experimental` based on the existing directory structure of `experimental` or its parent directory.

@@ -45,7 +40,7 @@ If you have an idea for a query that you would like to share with other CodeQL u

 3. **Formatting**

-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/).
+    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/about-codeql-for-visual-studio-code).

    If you prefer, you can either:
    1. install the [pre-commit framework](https://pre-commit.com/) and install the configured hooks on this repo via `pre-commit install`, or
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,17 +0,0 @@
-# This is the shared workspace file for extractor using shared/tree-sitter/extractor
-[workspace]
-
-resolver = "2"
-members = [
-    "shared/tree-sitter-extractor",
-    "ruby/extractor",
-    "rust/extractor",
-    "rust/extractor/macros",
-    "rust/ast-generator",
-    "rust/autobuild",
-]
-
-[patch.crates-io]
-# patch for build script bug preventing bazel build
-# see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2006-2025 GitHub, Inc.
+Copyright (c) 2006-2020 GitHub, Inc.

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -1,272 +0,0 @@
-module(
-    name = "ql",
-    version = "0.0",
-    repo_name = "codeql",
-)
-
-# this points to our internal repository when `codeql` is checked out as a submodule thereof
-# when building things from `codeql` independently this is stubbed out in `.bazelrc`
-bazel_dep(name = "semmle_code", version = "0.0")
-local_path_override(
-    module_name = "semmle_code",
-    path = "..",
-)
-
-# see https://registry.bazel.build/ for a list of available packages
-
-bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "rules_go", version = "0.50.1")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
-bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
-bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.3.0")
-bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
-bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
-bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.17.4")
-bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.58.0")
-bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
-
-bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
-
-# Keep edition and version approximately in sync with internal repo.
-# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
-RUST_EDITION = "2024"
-
-RUST_VERSION = "1.85.0"
-
-rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
-rust.toolchain(
-    edition = RUST_EDITION,
-    # We need those extra target triples so that we can build universal binaries on macos
-    extra_target_triples = [
-        "x86_64-apple-darwin",
-        "aarch64-apple-darwin",
-    ],
-    versions = [RUST_VERSION],
-)
-use_repo(rust, "rust_toolchains")
-
-register_toolchains("@rust_toolchains//:all")
-
-# deps for python extractor
-# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
-py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
-use_repo(
-    py_deps,
-    "vendor_py__anyhow-1.0.95",
-    "vendor_py__cc-1.2.14",
-    "vendor_py__clap-4.5.30",
-    "vendor_py__regex-1.11.1",
-    "vendor_py__tree-sitter-0.20.4",
-    "vendor_py__tree-sitter-graph-0.7.0",
-)
-
-# deps for ruby+rust
-# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
-tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
-use_repo(
-    tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.97",
-    "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.100.0",
-    "vendor_ts__chrono-0.4.40",
-    "vendor_ts__clap-4.5.35",
-    "vendor_ts__dunce-1.0.5",
-    "vendor_ts__either-1.15.0",
-    "vendor_ts__encoding-0.2.33",
-    "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.0",
-    "vendor_ts__glob-0.3.2",
-    "vendor_ts__globset-0.4.15",
-    "vendor_ts__itertools-0.14.0",
-    "vendor_ts__lazy_static-1.5.0",
-    "vendor_ts__mustache-0.9.0",
-    "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.16.0",
-    "vendor_ts__proc-macro2-1.0.94",
-    "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.273",
-    "vendor_ts__ra_ap_cfg-0.0.273",
-    "vendor_ts__ra_ap_hir-0.0.273",
-    "vendor_ts__ra_ap_hir_def-0.0.273",
-    "vendor_ts__ra_ap_hir_expand-0.0.273",
-    "vendor_ts__ra_ap_hir_ty-0.0.273",
-    "vendor_ts__ra_ap_ide_db-0.0.273",
-    "vendor_ts__ra_ap_intern-0.0.273",
-    "vendor_ts__ra_ap_load-cargo-0.0.273",
-    "vendor_ts__ra_ap_parser-0.0.273",
-    "vendor_ts__ra_ap_paths-0.0.273",
-    "vendor_ts__ra_ap_project_model-0.0.273",
-    "vendor_ts__ra_ap_span-0.0.273",
-    "vendor_ts__ra_ap_stdx-0.0.273",
-    "vendor_ts__ra_ap_syntax-0.0.273",
-    "vendor_ts__ra_ap_vfs-0.0.273",
-    "vendor_ts__rand-0.9.0",
-    "vendor_ts__rayon-1.10.0",
-    "vendor_ts__regex-1.11.1",
-    "vendor_ts__serde-1.0.219",
-    "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.12.0",
-    "vendor_ts__syn-2.0.100",
-    "vendor_ts__toml-0.8.20",
-    "vendor_ts__tracing-0.1.41",
-    "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.19",
-    "vendor_ts__tree-sitter-0.24.6",
-    "vendor_ts__tree-sitter-embedded-template-0.23.2",
-    "vendor_ts__tree-sitter-json-0.24.8",
-    "vendor_ts__tree-sitter-ql-0.23.1",
-    "vendor_ts__tree-sitter-ruby-0.23.1",
-    "vendor_ts__triomphe-0.1.14",
-    "vendor_ts__ungrammar-1.16.1",
-)
-
-http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-
-# rust-analyzer sources needed by the rust ast-generator (see `rust/ast-generator/README.md`)
-RUST_ANALYZER_SRC_TAG = "2025-01-07"
-
-http_archive(
-    name = "rust-analyzer-src",
-    build_file = "//rust/ast-generator:BUILD.rust-analyzer-src.bazel",
-    integrity = "sha256-eo8mIaUafZL8LOM65bDIIIXw1rNQ/P/x5RK/XUtgo5g=",
-    patch_args = ["-p1"],
-    patches = [
-        "//rust/ast-generator:patches/rust-analyzer.patch",
-    ],
-    strip_prefix = "rust-analyzer-%s" % RUST_ANALYZER_SRC_TAG,
-    url = "https://github.com/rust-lang/rust-analyzer/archive/refs/tags/%s.tar.gz" % RUST_ANALYZER_SRC_TAG,
-)
-
-dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.100")
-use_repo(dotnet, "dotnet_toolchains")
-
-register_toolchains("@dotnet_toolchains//:all")
-
-csharp_main_extension = use_extension("//csharp:paket.main_extension.bzl", "main_extension")
-use_repo(csharp_main_extension, "paket.main")
-
-pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
-pip.parse(
-    hub_name = "codegen_deps",
-    python_version = "3.12",
-    requirements_lock = "//misc/codegen:requirements_lock.txt",
-)
-use_repo(pip, "codegen_deps")
-
-swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
-
-# following list can be kept in sync with `bazel mod tidy`
-use_repo(
-    swift_deps,
-    "binlog",
-    "picosha2",
-    "swift-prebuilt-linux",
-    "swift-prebuilt-linux-download-only",
-    "swift-prebuilt-macos",
-    "swift-prebuilt-macos-download-only",
-    "swift-resource-dir-linux",
-    "swift-resource-dir-macos",
-)
-
-node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
-node.toolchain(
-    name = "nodejs",
-    node_urls = [
-        "https://nodejs.org/dist/v{version}/{filename}",
-        "https://mirrors.dotsrc.org/nodejs/release/v{version}/{filename}",
-    ],
-    node_version = "18.15.0",
-)
-use_repo(node, "nodejs", "nodejs_toolchains")
-
-kotlin_extractor_deps = use_extension("//java/kotlin-extractor:deps.bzl", "kotlin_extractor_deps")
-
-# following list can be kept in sync by running `bazel mod tidy` in `codeql`
-use_repo(
-    kotlin_extractor_deps,
-    "codeql_kotlin_defaults",
-    "codeql_kotlin_embeddable",
-    "kotlin-compiler-1.5.0",
-    "kotlin-compiler-1.5.10",
-    "kotlin-compiler-1.5.20",
-    "kotlin-compiler-1.5.30",
-    "kotlin-compiler-1.6.0",
-    "kotlin-compiler-1.6.20",
-    "kotlin-compiler-1.7.0",
-    "kotlin-compiler-1.7.20",
-    "kotlin-compiler-1.8.0",
-    "kotlin-compiler-1.9.0-Beta",
-    "kotlin-compiler-1.9.20-Beta",
-    "kotlin-compiler-2.0.0-RC1",
-    "kotlin-compiler-2.0.20-Beta2",
-    "kotlin-compiler-2.1.0-Beta1",
-    "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-1.5.0",
-    "kotlin-compiler-embeddable-1.5.10",
-    "kotlin-compiler-embeddable-1.5.20",
-    "kotlin-compiler-embeddable-1.5.30",
-    "kotlin-compiler-embeddable-1.6.0",
-    "kotlin-compiler-embeddable-1.6.20",
-    "kotlin-compiler-embeddable-1.7.0",
-    "kotlin-compiler-embeddable-1.7.20",
-    "kotlin-compiler-embeddable-1.8.0",
-    "kotlin-compiler-embeddable-1.9.0-Beta",
-    "kotlin-compiler-embeddable-1.9.20-Beta",
-    "kotlin-compiler-embeddable-2.0.0-RC1",
-    "kotlin-compiler-embeddable-2.0.20-Beta2",
-    "kotlin-compiler-embeddable-2.1.0-Beta1",
-    "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-stdlib-1.5.0",
-    "kotlin-stdlib-1.5.10",
-    "kotlin-stdlib-1.5.20",
-    "kotlin-stdlib-1.5.30",
-    "kotlin-stdlib-1.6.0",
-    "kotlin-stdlib-1.6.20",
-    "kotlin-stdlib-1.7.0",
-    "kotlin-stdlib-1.7.20",
-    "kotlin-stdlib-1.8.0",
-    "kotlin-stdlib-1.9.0-Beta",
-    "kotlin-stdlib-1.9.20-Beta",
-    "kotlin-stdlib-2.0.0-RC1",
-    "kotlin-stdlib-2.0.20-Beta2",
-    "kotlin-stdlib-2.1.0-Beta1",
-    "kotlin-stdlib-2.1.20-Beta1",
-)
-
-go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.24.0")
-
-go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
-go_deps.from_file(go_mod = "//go/extractor:go.mod")
-use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
-
-lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
-
-lfs_files(
-    name = "ripunzip-linux",
-    srcs = ["//misc/ripunzip:ripunzip-linux"],
-    executable = True,
-)
-
-lfs_files(
-    name = "ripunzip-windows",
-    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
-    executable = True,
-)
-
-lfs_files(
-    name = "ripunzip-macos",
-    srcs = ["//misc/ripunzip:ripunzip-macos"],
-    executable = True,
-)
-
-register_toolchains(
-    "@nodejs_toolchains//:all",
-)
--- a/README.md
+++ b/README.md
@@ -4,14 +4,12 @@ This open source repository contains the standard CodeQL libraries and queries t

 ## How do I learn CodeQL and run queries?

-There is extensive documentation about the [CodeQL language](https://codeql.github.com/docs/), writing CodeQL using the [CodeQL extension for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/) and using the [CodeQL CLI](https://docs.github.com/en/code-security/codeql-cli).
+There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).

 ## Contributing

 We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our [contributing guidelines](CONTRIBUTING.md). You can also consult our [style guides](https://github.com/github/codeql/tree/main/docs) to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.

-For information on contributing to CodeQL documentation, see the "[contributing guide](docs/codeql/CONTRIBUTING.md)" for docs.
-
 ## License

 The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).
--- a/WORKSPACE.bazel
+++ b/WORKSPACE.bazel
@@ -0,0 +1,12 @@
+# Please notice that any bazel targets and definitions in this repository are currently experimental
+# and for internal use only.
+
+workspace(name = "codeql")
+
+load("//misc/bazel:workspace.bzl", "codeql_workspace")
+
+codeql_workspace()
+
+load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")
+
+codeql_workspace_deps()
--- a/actions/BUILD.bazel
+++ b/actions/BUILD.bazel
@@ -1,9 +0,0 @@
-load("//misc/bazel:pkg.bzl", "codeql_pack")
-
-package(default_visibility = ["//visibility:public"])
-
-codeql_pack(
-    name = "actions",
-    srcs = ["//actions/extractor"],
-    experimental = True,
-)
--- a/actions/extractor/BUILD.bazel
+++ b/actions/extractor/BUILD.bazel
@@ -1,12 +0,0 @@
-load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix")
-
-codeql_pkg_files(
-    name = "extractor",
-    srcs = [
-        "codeql-extractor.yml",
-        "//:LICENSE",
-    ],
-    exes = glob(["tools/**"]),
-    strip_prefix = strip_prefix.from_pkg(),
-    visibility = ["//actions:__pkg__"],
-)
--- a/actions/extractor/codeql-extractor.yml
+++ b/actions/extractor/codeql-extractor.yml
@@ -1,44 +0,0 @@
-name: "actions"
-aliases: []
-display_name: "GitHub Actions"
-version: 0.0.1
-column_kind: "utf16"
-unicode_newlines: true
-build_modes:
-  - none
-file_coverage_languages: []
-github_api_languages: []
-scc_languages: []
-file_types:
-  - name: workflow
-    display_name: GitHub Actions workflow files
-    extensions:
-      - .yml
-      - .yaml
-forwarded_extractor_name: javascript
-options:
-  trap:
-    title: TRAP options
-    description: Options about how the extractor handles TRAP files
-    type: object
-    visibility: 3
-    properties:
-      cache:
-        title: TRAP cache options
-        description: Options about how the extractor handles its TRAP cache
-        type: object
-        properties:
-          dir:
-            title: TRAP cache directory
-            description: The directory of the TRAP cache to use
-            type: string
-          bound:
-            title: TRAP cache bound
-            description: A soft limit (in MB) on the size of the TRAP cache
-            type: string
-            pattern: "[0-9]+"
-          write:
-            title: TRAP cache writeable
-            description: Whether to write to the TRAP cache as well as reading it
-            type: string
-            pattern: "(true|TRUE|false|FALSE)"
--- a/actions/extractor/tools/autobuild-impl.ps1
+++ b/actions/extractor/tools/autobuild-impl.ps1
@@ -1,53 +0,0 @@
-# Note: We're adding the `reusable_workflows` subdirectories to proactively
-# record workflows that were called cross-repo, check them out locally,
-# and enable an interprocedural analysis across the workflow files.
-# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
-$DefaultPathFilters = @(
-    'exclude:**/*',
-    'include:.github/workflows/*.yml',
-    'include:.github/workflows/*.yaml',
-    'include:.github/reusable_workflows/**/*.yml',
-    'include:.github/reusable_workflows/**/*.yaml',
-    'include:**/action.yml',
-    'include:**/action.yaml'
-)
-
-if ($null -ne $env:LGTM_INDEX_FILTERS) {
-    Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
-    # Begin with the default path inclusions only,
-    # followed by the user-provided filters.
-    # If the user provided `paths`, those patterns override the default inclusions
-    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
-    # If the user provided `paths-ignore`, those patterns are excluded.
-    $PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
-    $env:LGTM_INDEX_FILTERS = $PathFilters
-} else {
-    Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
-    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
-}
-
-# Find the JavaScript extractor directory via `codeql resolve extractor`.
-$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
-if ($LASTEXITCODE -ne 0) {
-    throw 'Failed to resolve JavaScript extractor.'
-}
-
-Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
-
-# Run the JavaScript autobuilder.
-$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
-Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
-
-# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
-
-&"$JavaScriptAutoBuild"
-if ($LASTEXITCODE -ne 0) {
-    throw "JavaScript autobuilder failed."
-}
--- a/actions/extractor/tools/autobuild.cmd
+++ b/actions/extractor/tools/autobuild.cmd
@@ -1,4 +0,0 @@
-@echo off
-rem All of the work is done in the PowerShell script
-echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
-powershell.exe -File "%~dp0autobuild-impl.ps1"
--- a/actions/extractor/tools/autobuild.sh
+++ b/actions/extractor/tools/autobuild.sh
@@ -1,57 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-# Note: We're adding the `reusable_workflows` subdirectories to proactively
-# record workflows that were called cross-repo, check them out locally,
-# and enable an interprocedural analysis across the workflow files.
-# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
-DEFAULT_PATH_FILTERS=$(cat << END
-exclude:**/*
-include:.github/workflows/*.yml
-include:.github/workflows/*.yaml
-include:.github/reusable_workflows/**/*.yml
-include:.github/reusable_workflows/**/*.yaml
-include:**/action.yml
-include:**/action.yaml
-END
-)
-
-if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
-    echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
-    # Begin with the default path inclusions only,
-    # followed by the user-provided filters.
-    # If the user provided `paths`, those patterns override the default inclusions
-    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
-    # If the user provided `paths-ignore`, those patterns are excluded.
-    PATH_FILTERS="$(cat << END
-${DEFAULT_PATH_FILTERS}
-${LGTM_INDEX_FILTERS}
-END
-)"
-    LGTM_INDEX_FILTERS="${PATH_FILTERS}"
-    export LGTM_INDEX_FILTERS
-else
-    echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
-    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
-    export LGTM_INDEX_FILTERS
-fi
-
-# Find the JavaScript extractor directory via `codeql resolve extractor`.
-CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
-export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
-
-echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
-
-# Run the JavaScript autobuilder
-JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
-echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
-
-# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
-env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
-    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
-    "${JAVASCRIPT_AUTO_BUILD}"
--- a/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
+++ b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
@@ -1,28 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/actions-all
-      extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["github/codeql-action/analyze"]
-      - ["github/codeql-action/autobuild"]
-      - ["github/codeql-action/init"]
-      - ["github/codeql-action/resolve-environment"]
-      - ["github/codeql-action/start-proxy"]
-      - ["github/codeql-action/upload-sarif"]
-      - ["octokit/request-action"]
--- a/actions/ql/extensions/immutable-actions-list/qlpack.yml
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -1,14 +0,0 @@
-# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
-# yet released, so this pack will only be used within GitHub. Once the feature is available to
-# customers, we will move the contents of this pack back into the standard library pack.
-name: codeql/immutable-actions-list
-version: 0.0.1-dev
-library: true
-warnOnImplicitThis: true
-extensionTargets:
-  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
-  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
-  # bump the major version to 2.
-  codeql/actions-all: ">=0.4.3 <2.0.0"
-dataExtensions:
- ext/**/*.yml
--- a/actions/ql/integration-tests/filters-default/actions.ql
+++ b/actions/ql/integration-tests/filters-default/actions.ql
@@ -1,5 +0,0 @@
-import actions
-
-from AstNode n
-where n instanceof Workflow or n instanceof CompositeAction
-select n
--- a/actions/ql/integration-tests/filters/actions.default-filters.expected
+++ b/actions/ql/integration-tests/filters/actions.default-filters.expected
@@ -1,6 +0,0 @@
-| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
-| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
-| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
-| src/action.yml:1:1:11:32 | name: ' ... action' |
-| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |
--- a/actions/ql/integration-tests/filters/actions.paths-and-paths-ignore.expected
+++ b/actions/ql/integration-tests/filters/actions.paths-and-paths-ignore.expected
@@ -1,2 +0,0 @@
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
--- a/actions/ql/integration-tests/filters/actions.paths-ignore-only.expected
+++ b/actions/ql/integration-tests/filters/actions.paths-ignore-only.expected
@@ -1,5 +0,0 @@
-| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
-| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
-| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
-| src/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |
--- a/actions/ql/integration-tests/filters/actions.paths-only.expected
+++ b/actions/ql/integration-tests/filters/actions.paths-only.expected
@@ -1,2 +0,0 @@
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
--- a/actions/ql/integration-tests/filters/actions.ql
+++ b/actions/ql/integration-tests/filters/actions.ql
@@ -1,5 +0,0 @@
-import actions
-
-from AstNode n
-where n instanceof Workflow or n instanceof CompositeAction
-select n
--- a/actions/ql/integration-tests/filters/codeql-config.paths-and-paths-ignore.yml
+++ b/actions/ql/integration-tests/filters/codeql-config.paths-and-paths-ignore.yml
@@ -1,4 +0,0 @@
-paths:
-  - 'included'
-paths-ignore:
-  - 'excluded'
--- a/actions/ql/integration-tests/filters/codeql-config.paths-ignore-only.yml
+++ b/actions/ql/integration-tests/filters/codeql-config.paths-ignore-only.yml
@@ -1,2 +0,0 @@
-paths-ignore:
-  - 'excluded'
--- a/actions/ql/integration-tests/filters/codeql-config.paths-only.yml
+++ b/actions/ql/integration-tests/filters/codeql-config.paths-only.yml
@@ -1,2 +0,0 @@
-paths:
-  - 'included'
--- a/actions/ql/integration-tests/filters/source_archive.default-filters.expected
+++ b/actions/ql/integration-tests/filters/source_archive.default-filters.expected
@@ -1,6 +0,0 @@
-src/.github/action.yaml
-src/.github/actions/action-name/action.yml
-src/.github/workflows/workflow.yml
-src/action.yml
-src/excluded/action.yml
-src/included/action.yml
--- a/actions/ql/integration-tests/filters/source_archive.paths-and-paths-ignore.expected
+++ b/actions/ql/integration-tests/filters/source_archive.paths-and-paths-ignore.expected
@@ -1,3 +0,0 @@
-src/included/action.yml
-src/included/not-an-action.yml
-src/included/unreachable-workflow.yml
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Andrew Eisenberg	d227a018e6	Fix test results	2023-01-03 19:18:46 -08:00
Andrew Eisenberg	606b836af4	Remove some extensions	2023-01-02 17:10:39 -08:00
Michael Nebel	709d0c0c8d	Update data extensions after rebase.	2022-12-15 11:46:49 +01:00
Michael Nebel	83e2cbee82	Add script for easily running the dummy queries.	2022-12-15 11:46:47 +01:00
Michael Nebel	777feccaea	Java: Add some query dummy query packs.	2022-12-15 11:20:59 +01:00
Michael Nebel	927d017f3d	Java: Add small dummy suite that depends on lib and which adds 1M extra tuples.	2022-12-15 11:20:57 +01:00
Michael Nebel	11636862f6	Java: Add a dummy test to project the first column of the extensible extSummaryModel predicate.	2022-12-15 11:20:57 +01:00
Michael Nebel	3b77a1d24f	Java: Add around 3M tuples in a predicate.	2022-12-15 11:20:55 +01:00
Michael Nebel	798f4efcfb	Java: Add script and dummy query for producing lots of summary models as data extensions.	2022-12-15 11:20:54 +01:00
@@ -1 +1 @@
 .1.1
 .0.0