Merge pull request #272 from microsoft/jb1/2.22.3

Merge upstream `codeql-cli-2.22.3`
PS: Port changes from #20132 to PowerShell.
2026-05-25 00:27:09 +02:00 · 2025-08-12 16:33:08 +02:00 · 2025-08-12 14:52:12 +01:00 · 2025-08-11 12:56:34 -07:00 · 2025-08-11 12:45:33 -07:00 · 2025-08-11 12:45:01 -07:00
6447 changed files with 260515 additions and 131133 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -30,9 +30,6 @@ common --registry=https://bcr.bazel.build

 common --@rules_dotnet//dotnet/settings:strict_deps=false

-# we only configure a nightly toolchain
-common --@rules_rust//rust/toolchain/channel=nightly
-
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
 common --incompatible_autoload_externally="+@rules_java,+@rules_shell"

--- a/.gitattributes
+++ b/.gitattributes
@@ -88,3 +88,8 @@
 # swift prebuilt resources
 /swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
 /swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
+
+# This upgrade script must use windows line-endings to be compatible with old
+# databases.
+/powershell/ql/lib/upgrades/ce269c61feda10a8ca0d16519085f7e55741a694/old.dbscheme eol=crlf
+/powershell/downgrades/802d5b9f407fb0dac894df1c0b4584f2215e1512/semmlecode.powershell.dbscheme eol=crlf
--- a/.github/workflows/build-ripunzip.yml
+++ b/.github/workflows/build-ripunzip.yml
@@ -20,7 +20,7 @@ jobs:
        os: [ubuntu-22.04, macos-13, windows-2022]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          repository: google/ripunzip
          ref: ${{ inputs.ripunzip-version }}
@@ -28,7 +28,7 @@ jobs:
      # see https://github.com/sfackler/rust-openssl/issues/183
      - if: runner.os == 'Linux'
        name: checkout openssl
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: openssl/openssl
          path: openssl
--- a/.github/workflows/buildifier.yml
+++ b/.github/workflows/buildifier.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Check bazel formatting
        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        with:
--- a/.github/workflows/check-implicit-this.yml
+++ b/.github/workflows/check-implicit-this.yml
@@ -16,7 +16,7 @@ jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check that implicit this warnings is enabled for all packs
        shell: bash
        run: |
--- a/.github/workflows/check-overlay-annotations.yml
+++ b/.github/workflows/check-overlay-annotations.yml
@@ -17,7 +17,7 @@ jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check overlay annotations
        run: python config/add-overlay-annotations.py --check java

--- a/.github/workflows/check-qldoc.yml
+++ b/.github/workflows/check-qldoc.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2

--- a/.github/workflows/check-query-ids.yml
+++ b/.github/workflows/check-query-ids.yml
@@ -19,6 +19,6 @@ jobs:
    name: Check query IDs
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check for duplicate query IDs
        run: python3 misc/scripts/check-query-ids.py
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -34,10 +34,10 @@ jobs:
    - name: Setup dotnet
      uses: actions/setup-dotnet@v4
      with:
-        dotnet-version: 9.0.300
+        dotnet-version: 9.0.100

    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest-xl

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
        with:
--- a/.github/workflows/cpp-swift-analysis.yml
+++ b/.github/workflows/cpp-swift-analysis.yml
@@ -28,7 +28,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -39,23 +39,23 @@ jobs:
        os: [ubuntu-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup dotnet
        uses: actions/setup-dotnet@v4
        with:
-          dotnet-version: 9.0.300
+          dotnet-version: 9.0.100
      - name: Extractor unit tests
        run: |
          dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
        shell: bash
  stubgentest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./csharp/actions/create-extractor-pack
      - name: Run stub generator tests
        run: |
--- a/.github/workflows/csv-coverage-metrics.yml
+++ b/.github/workflows/csv-coverage-metrics.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
@@ -51,7 +51,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Create empty database
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -35,11 +35,11 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql) - MERGE
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: merge
      - name: Clone self (github/codeql) - BASE
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          fetch-depth: 2
          path: base
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -24,7 +24,7 @@ jobs:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
    - name: Set up Python 3.8
      uses: actions/setup-python@v4
      with:
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -12,11 +12,11 @@ jobs:

    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: codeqlModels
          fetch-depth: 0
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -21,7 +21,7 @@ jobs:
          GITHUB_CONTEXT: ${{ toJSON(github.event) }}
        run: echo "$GITHUB_CONTEXT"
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: ql
          fetch-depth: 0
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -16,11 +16,11 @@ jobs:

    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: script
      - name: Clone self (github/codeql) for analysis
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: codeqlModels
          ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -26,7 +26,7 @@ jobs:
          exit 1

      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4

      - name: Git config
        shell: bash
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Run tests
        uses: ./go/actions/test
        with:
--- a/.github/workflows/kotlin-build.yml
+++ b/.github/workflows/kotlin-build.yml
@@ -20,7 +20,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - run: |
          bazel query //java/kotlin-extractor/...
          # only build the default version as a quick check that we can build from `codeql`
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -28,12 +28,12 @@ jobs:
        slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
    steps:
      - name: Clone github/codeql from PR
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        if: github.event.pull_request
        with:
          path: codeql-pr
      - name: Clone github/codeql from main
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: codeql-main
          ref: main
--- a/.github/workflows/mad_regenerate-models.yml
+++ b/.github/workflows/mad_regenerate-models.yml
@@ -30,11 +30,11 @@ jobs:
            ref: "placeholder"
    steps:
      - name: Clone self (github/codeql)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Setup CodeQL binaries
        uses: ./.github/actions/fetch-codeql
      - name: Clone repositories
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          path: repos/${{ matrix.ref }}
          ref: ${{ matrix.ref }}
--- a/.github/workflows/microsoft-codeql-pack-publish.yml
+++ b/.github/workflows/microsoft-codeql-pack-publish.yml
@@ -0,0 +1,152 @@
+name: Microsoft CodeQL Pack Publish
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check-branch:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Fail if not on main branch
+      run: |
+        if [ "$GITHUB_REF" != "refs/heads/main" ]; then
+          echo "This workflow can only run on the 'main' branch."
+          exit 1
+        fi
+  codeqlversion:
+    needs: check-branch
+    runs-on: ubuntu-latest
+    outputs:
+      codeql_version: ${{ steps.set_codeql_version.outputs.codeql_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 
+      - name: Set CodeQL Version
+        id: set_codeql_version
+        run: |
+            git fetch
+            git fetch --tags
+            CURRENT_COMMIT=$(git rev-list -1 HEAD)
+            CURRENT_TAG=$(git describe --tags --abbrev=0 --match 'codeql-cli/v*' $CURRENT_COMMIT)
+            CODEQL_VERSION="${CURRENT_TAG#codeql-cli/}"
+            echo "CODEQL_VERSION=$CODEQL_VERSION" >> $GITHUB_OUTPUT
+  publishlibs:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['powershell']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Lib Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-all"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-all"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
+        DATAEXTENSIONS=$(yq 'select(has("dataExtensions")) | .dataExtensions | {"dataExtensions": .}' "$LANGUAGE/ql/lib/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/lib/qlpack.yml" "$LANGUAGE/ql/lib/qlpack.lock"
+
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/lib/qlpack.yml"
+        name: microsoft/$LANGUAGE-all
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - microsoft-all
+        dbscheme: semmlecode.$LANGUAGE.dbscheme
+        extractor: $LANGUAGE
+        library: true
+        upgrades: upgrades
+        $DEPENDENCIES
+        $DATAEXTENSIONS
+        warnOnImplicitThis: true
+        EOF
+
+        # Publish pack
+        cat "$LANGUAGE/ql/lib/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/lib"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+  publish:
+    environment: secure-publish
+    needs: codeqlversion
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language: ['csharp', 'cpp', 'java', 'javascript', 'python', 'ruby', 'go', 'rust', 'swift', 'powershell', 'iac']
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Install CodeQL
+      shell: bash
+      run: |
+        gh extension install github/gh-codeql
+        gh codeql download "${{ needs.codeqlversion.outputs.codeql_version }}"
+        gh codeql set-version "${{ needs.codeqlversion.outputs.codeql_version }}"
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish OS Microsoft CodeQL Pack
+      shell: bash
+      run: |
+        # Download latest qlpack
+        gh codeql pack download "microsoft/$LANGUAGE-queries"
+        PACK_DIR="$HOME/.codeql/packages/microsoft/$LANGUAGE-queries"
+        VERSION_COUNT=$(ls -d "$PACK_DIR"/*/ | wc -l)
+        [[ "$VERSION_COUNT" -ne 1 ]] && { echo "Expected exactly one version in $PACK_DIR, but found $VERSION_COUNT. Exiting."; exit 1; }
+
+        # Increment version
+        CURRENT_VERSION=$(ls -v "$PACK_DIR" | tail -n 1)
+        MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1)
+        MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
+        PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3)
+        NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))"
+
+        # Extract dependencies from the existing qlpack.yml before deleting
+        DEPENDENCIES=$(yq 'select(has("dependencies")) | .dependencies | {"dependencies": .}' "$LANGUAGE/ql/src/qlpack.yml" 2>/dev/null)
+        rm -f "$LANGUAGE/ql/src/qlpack.yml" "$LANGUAGE/ql/src/qlpack.lock"
+
+        # Create new qlpack.yml with modified content
+        cat <<EOF > "$LANGUAGE/ql/src/qlpack.yml"
+        name: microsoft/$LANGUAGE-queries
+        version: $NEXT_VERSION
+        extractor: $LANGUAGE
+        groups:
+          - $LANGUAGE
+          - queries
+        $DEPENDENCIES
+        EOF
+
+        # Publish pack
+        cat "$LANGUAGE/ql/src/qlpack.yml"
+        gh codeql pack publish "$LANGUAGE/ql/src"
+      env:
+        LANGUAGE: ${{ matrix.language }}
+        GITHUB_TOKEN: ${{ secrets.PACKAGE_PUBLISH }}
+
--- a/.github/workflows/powershell-pr-check.yml
+++ b/.github/workflows/powershell-pr-check.yml
@@ -0,0 +1,32 @@
+name: PowerShell PR Check
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  powershell-pr-check:
+    name: powershell-pr-check
+    runs-on: windows-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ github.token }}
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: release
+      - name: Install PowerShell
+        run: |
+          $path = Split-Path (Get-Command codeql).Source
+          ./powershell/build-win64.ps1 $path
+      - name: Run QL tests
+        run: |
+          codeql test run --threads=0 powershell/ql/test
--- a/.github/workflows/python-tooling.yml
+++ b/.github/workflows/python-tooling.yml
@@ -21,7 +21,7 @@ jobs:
  check-python-tooling:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
--- a/.github/workflows/qhelp-pr-preview.yml
+++ b/.github/workflows/qhelp-pr-preview.yml
@@ -43,7 +43,7 @@ jobs:
          if-no-files-found: error
          retention-days: 1

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
          persist-credentials: false
--- a/.github/workflows/ql-for-ql-build.yml
+++ b/.github/workflows/ql-for-ql-build.yml
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest-xl
    steps:
      ### Build the queries ###
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Find codeql
--- a/.github/workflows/ql-for-ql-dataset_measure.yml
+++ b/.github/workflows/ql-for-ql-dataset_measure.yml
@@ -25,7 +25,7 @@ jobs:
          - github/codeql
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4

      - name: Find codeql
        id: find-codeql
@@ -46,7 +46,7 @@ jobs:
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
@@ -75,7 +75,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: measurements
--- a/.github/workflows/ql-for-ql-tests.yml
+++ b/.github/workflows/ql-for-ql-tests.yml
@@ -24,7 +24,7 @@ jobs:
  qltest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@main
@@ -64,7 +64,7 @@ jobs:
    needs: [qltest]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -23,7 +23,7 @@ jobs:

    steps:
    - name: Clone self (github/codeql)
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4
      with:
        path: codeql 
    - name: Set up Python 3.8
@@ -31,7 +31,7 @@ jobs:
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
      uses: ./codeql/.github/actions/fetch-codeql
    - name: Build code scanning query list
      run: |
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -47,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Install GNU tar
        if: runner.os == 'macOS'
        run: |
@@ -113,7 +113,7 @@ jobs:
    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Cache compilation cache
@@ -146,7 +146,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: [build, compile-queries]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          name: ruby.dbscheme
@@ -209,7 +209,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    needs: [package]
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Fetch CodeQL
        uses: ./.github/actions/fetch-codeql

--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -30,14 +30,14 @@ jobs:
        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4

      - uses: ./.github/actions/fetch-codeql

      - uses: ./ruby/actions/create-extractor-pack

      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: ${{ matrix.repo }}
          path: ${{ github.workspace }}/repo
@@ -62,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: measure
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        with:
          path: stats
--- a/.github/workflows/ruby-qltest-rtjo.yml
+++ b/.github/workflows/ruby-qltest-rtjo.yml
@@ -25,7 +25,7 @@ jobs:
    strategy:
      fail-fast: false
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Cache compilation cache
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -36,7 +36,7 @@ jobs:
  qlupgrade:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - name: Check DB upgrade scripts
        run: |
@@ -58,7 +58,7 @@ jobs:
    strategy:
      fail-fast: false
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: ./ruby/actions/create-extractor-pack
      - name: Cache compilation cache
--- a/.github/workflows/rust-analysis.yml
+++ b/.github/workflows/rust-analysis.yml
@@ -35,7 +35,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v4

    - name: Query latest nightly CodeQL bundle
      shell: bash
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -30,7 +30,7 @@ jobs:
        working-directory: rust/ast-generator
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Inject sources
        shell: bash
        run: |
@@ -53,7 +53,7 @@ jobs:
        working-directory: rust/extractor
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Format
        shell: bash
        run: |
@@ -69,7 +69,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Install CodeQL
        uses: ./.github/actions/fetch-codeql
      - name: Code generation
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -36,7 +36,7 @@ jobs:
      fail-fast: false
    runs-on: ${{ matrix.runner }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Setup (Linux)
        if: runner.os == 'Linux'
        run: |
@@ -53,7 +53,7 @@ jobs:
  clang-format:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        name: Check that python code is properly formatted
        with:
@@ -61,7 +61,7 @@ jobs:
  codegen:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/fetch-codeql
      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
        name: Check that QL generated code was checked in
@@ -77,6 +77,6 @@ jobs:
  check-no-override:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check that no override is present in load.bzl
        run: bazel test ... --test_tag_filters=override --test_output=errors
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -17,7 +17,7 @@ jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check synchronized files
        run: python config/sync-files.py
      - name: Check dbscheme fragments
--- a/.github/workflows/sync-main-tags.yml
+++ b/.github/workflows/sync-main-tags.yml
@@ -0,0 +1,28 @@
+name: Sync Main Tags
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  sync-main-tags:
+    name: Sync Main Tags
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql' && github.event.pull_request.merged == true && github.event.pull_request.head.ref == 'auto/sync-main-pr'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Push Tags
+        run: |
+          git remote add upstream https://github.com/github/codeql.git
+          git fetch upstream --tags --force
+          git push --force origin --tags
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -0,0 +1,91 @@
+name: Sync Main
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/sync-main.yml
+  schedule:
+    - cron: '55 * * * *'
+  
+jobs:
+  sync-main:
+    name: Sync-main
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: write
+      pull-requests: write
+      
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Git config
+        shell: bash
+        run: |
+          git config user.name "dilanbhalla"
+          git config user.email "dilanbhalla@microsoft.com"
+      - name: Git checkout auto/sync-main-pr
+        shell: bash
+        run: |
+          git fetch origin
+          if git ls-remote --exit-code --heads origin auto/sync-main-pr > /dev/null; then
+            echo "Branch exists remotely. Checking it out."
+            git checkout -B auto/sync-main-pr origin/auto/sync-main-pr
+          else
+            echo "Branch does not exist remotely. Creating from main."
+            git checkout -B auto/sync-main-pr origin/main
+            git push -u origin auto/sync-main-pr
+          fi
+      - name: Sync origin/main
+        shell: bash
+        run: |
+          echo "::group::Sync with main branch"
+          git pull origin auto/sync-main-pr; exitCode=$?; if [ $exitCode -ne 0 ]; then exitCode=0; fi
+          git pull origin main --no-rebase
+          git push --force origin auto/sync-main-pr
+          echo "::endgroup::"
+      - name: Sync upstream/codeql-cli/latest
+        shell: bash
+        run: |
+          echo "::group::Set up remote"
+          git remote add upstream https://github.com/github/codeql.git
+          git fetch upstream --tags --force
+          echo "::endgroup::"
+          echo "::group::Merge codeql-cli/latest"
+          set -x
+          git merge codeql-cli/latest
+          set +x
+          echo "::endgroup::"
+      - name: Push sync branch
+        run: |
+          git push origin auto/sync-main-pr
+        env:
+          GITHUB_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Create PR if it doesn't exist
+        shell: bash
+        run: |
+          pr_number=$(gh pr list --repo microsoft/codeql --head auto/sync-main-pr --base main --json number --jq '.[0].number')
+          if [ -n "$pr_number" ]; then
+            echo "PR from auto/sync-main-pr to main already exists (PR #$pr_number). Exiting gracefully."
+          else
+            if git fetch origin main auto/sync-main-pr && [ -n "$(git rev-list origin/main..origin/auto/sync-main-pr)" ]; then
+              echo "PR does not exist. Creating one..."
+              gh pr create --repo microsoft/codeql --fill -B main -H auto/sync-main-pr \
+                --label 'autogenerated' \
+                --title 'Sync Main (autogenerated)' \
+                --body "This PR syncs the latest changes from \`codeql-cli/latest\` into \`main\`." \
+                --reviewer 'MathiasVP' \
+                --reviewer 'ropwareJB'
+            else
+              echo "No changes to sync from auto/sync-main-pr to main. Exiting gracefully."
+            fi
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+
--- a/.github/workflows/tree-sitter-extractor-test.yml
+++ b/.github/workflows/tree-sitter-extractor-test.yml
@@ -30,7 +30,7 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check formatting
        run: cargo fmt -- --check
      - name: Run tests
@@ -38,12 +38,12 @@ jobs:
  fmt:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Check formatting
        run: cargo fmt --check
  clippy:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - name: Run clippy
        run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
--- a/.github/workflows/validate-change-notes.yml
+++ b/.github/workflows/validate-change-notes.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4

      - name: Setup CodeQL
        uses: ./.github/actions/fetch-codeql
--- a/.github/workflows/zipmerge-test.yml
+++ b/.github/workflows/zipmerge-test.yml
@@ -18,6 +18,6 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - run: |
          bazel test //misc/bazel/internal/zipmerge:test --test_output=all
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "iac"]
+	path = iac
+	url = https://github.com/advanced-security/codeql-extractor-iac
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -14,8 +14,8 @@ local_path_override(

 # see https://registry.bazel.build/ for a list of available packages

-bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_go", version = "0.56.1")
+bazel_dep(name = "platforms", version = "0.0.11")
+bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
@@ -26,9 +26,9 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.63.0")
+bazel_dep(name = "rules_rust", version = "0.58.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")

 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -38,10 +38,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 RUST_EDITION = "2024"

 # run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
-# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
-# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
-# required in this repo
-RUST_VERSION = "nightly/2025-08-01"
+RUST_VERSION = "1.86.0"

 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -53,26 +50,26 @@ rust.toolchain(
    ],
    # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
    sha256s = {
-        "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
-        "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
-        "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
-        "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
-        "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
-        "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
-        "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
-        "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
-        "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
-        "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
-        "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
-        "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
-        "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
-        "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
-        "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
-        "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
-        "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
-        "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
-        "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
-        "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
+        "rustc-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "4438b809ce4a083af31ed17aeeedcc8fc60ccffc0625bef1926620751b6989d7",
+        "rustc-1.86.0-x86_64-apple-darwin.tar.xz": "42b76253626febb7912541a30d3379f463dec89581aad4cb72c6c04fb5a71dc5",
+        "rustc-1.86.0-aarch64-apple-darwin.tar.xz": "23b8f52102249a47ab5bc859d54c9a3cb588a3259ba3f00f557d50edeca4fde9",
+        "rustc-1.86.0-x86_64-pc-windows-msvc.tar.xz": "fdde839fea274529a31e51eb85c6df1782cc8479c9d1bc24e2914d66a0de41ab",
+        "clippy-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "02aaff2c1407d2da8dba19aa4970dd873e311902b120a66cbcdbe51eb8836edf",
+        "clippy-1.86.0-x86_64-apple-darwin.tar.xz": "bb85efda7bbffaf124867f5ca36d50932b1e8f533c62ee923438afb32ff8fe9a",
+        "clippy-1.86.0-aarch64-apple-darwin.tar.xz": "239fa3a604b124f0312f2af08537874a1227dba63385484b468cca62e7c4f2f2",
+        "clippy-1.86.0-x86_64-pc-windows-msvc.tar.xz": "d00498f47d49219f032e2c5eeebdfc3d32317c0dc3d3fd7125327445bc482cb4",
+        "cargo-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "c5c1590f7e9246ad9f4f97cfe26ffa92707b52a769726596a9ef81565ebd908b",
+        "cargo-1.86.0-x86_64-apple-darwin.tar.xz": "af163eb02d1a178044d1b4f2375960efd47130f795f6e33d09e345454bb26f4e",
+        "cargo-1.86.0-aarch64-apple-darwin.tar.xz": "3cb13873d48c3e1e4cc684d42c245226a11fba52af6b047c3346ed654e7a05c0",
+        "cargo-1.86.0-x86_64-pc-windows-msvc.tar.xz": "e57a9d89619b5604899bac443e68927bdd371e40f2e03e18950b6ceb3eb67966",
+        "llvm-tools-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "282145ab7a63c98b625856f44b905b4dc726b497246b824632a5790debe95a78",
+        "llvm-tools-1.86.0-x86_64-apple-darwin.tar.xz": "b55706e92f7da989207c50c13c7add483a9fedd233bc431b106eca2a8f151ec9",
+        "llvm-tools-1.86.0-aarch64-apple-darwin.tar.xz": "04d3618c686845853585f036e3211eb9e18f2d290f4610a7a78bdc1fcce1ebd9",
+        "llvm-tools-1.86.0-x86_64-pc-windows-msvc.tar.xz": "721a17cc8dc219177e4277a3592253934ef08daa1e1b12eda669a67d15fad8dd",
+        "rust-std-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "67be7184ea388d8ce0feaf7fdea46f1775cfc2970930264343b3089898501d37",
+        "rust-std-1.86.0-x86_64-apple-darwin.tar.xz": "3b1140d54870a080080e84700143f4a342fbd02a410a319b05d9c02e7dcf44cc",
+        "rust-std-1.86.0-aarch64-apple-darwin.tar.xz": "0fb121fb3b8fa9027d79ff598500a7e5cd086ddbc3557482ed3fdda00832c61b",
+        "rust-std-1.86.0-x86_64-pc-windows-msvc.tar.xz": "3d5354b7b9cb950b58bff3fce18a652aa374bb30c8f70caebd3bd0b43cb41a33",
    },
    versions = [RUST_VERSION],
 )
@@ -98,49 +95,49 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
    tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.99",
+    "vendor_ts__anyhow-1.0.98",
    "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.104.0",
+    "vendor_ts__chalk-ir-0.103.0",
    "vendor_ts__chrono-0.4.41",
-    "vendor_ts__clap-4.5.44",
+    "vendor_ts__clap-4.5.40",
    "vendor_ts__dunce-1.0.5",
    "vendor_ts__either-1.15.0",
    "vendor_ts__encoding-0.2.33",
    "vendor_ts__figment-0.10.19",
    "vendor_ts__flate2-1.1.0",
-    "vendor_ts__glob-0.3.3",
+    "vendor_ts__glob-0.3.2",
    "vendor_ts__globset-0.4.15",
    "vendor_ts__itertools-0.14.0",
    "vendor_ts__lazy_static-1.5.0",
    "vendor_ts__mustache-0.9.0",
    "vendor_ts__num-traits-0.2.19",
    "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.97",
+    "vendor_ts__proc-macro2-1.0.95",
    "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.300",
-    "vendor_ts__ra_ap_cfg-0.0.300",
-    "vendor_ts__ra_ap_hir-0.0.300",
-    "vendor_ts__ra_ap_hir_def-0.0.300",
-    "vendor_ts__ra_ap_hir_expand-0.0.300",
-    "vendor_ts__ra_ap_hir_ty-0.0.300",
-    "vendor_ts__ra_ap_ide_db-0.0.300",
-    "vendor_ts__ra_ap_intern-0.0.300",
-    "vendor_ts__ra_ap_load-cargo-0.0.300",
-    "vendor_ts__ra_ap_parser-0.0.300",
-    "vendor_ts__ra_ap_paths-0.0.300",
-    "vendor_ts__ra_ap_project_model-0.0.300",
-    "vendor_ts__ra_ap_span-0.0.300",
-    "vendor_ts__ra_ap_stdx-0.0.300",
-    "vendor_ts__ra_ap_syntax-0.0.300",
-    "vendor_ts__ra_ap_vfs-0.0.300",
-    "vendor_ts__rand-0.9.2",
+    "vendor_ts__ra_ap_base_db-0.0.288",
+    "vendor_ts__ra_ap_cfg-0.0.288",
+    "vendor_ts__ra_ap_hir-0.0.288",
+    "vendor_ts__ra_ap_hir_def-0.0.288",
+    "vendor_ts__ra_ap_hir_expand-0.0.288",
+    "vendor_ts__ra_ap_hir_ty-0.0.288",
+    "vendor_ts__ra_ap_ide_db-0.0.288",
+    "vendor_ts__ra_ap_intern-0.0.288",
+    "vendor_ts__ra_ap_load-cargo-0.0.288",
+    "vendor_ts__ra_ap_parser-0.0.288",
+    "vendor_ts__ra_ap_paths-0.0.288",
+    "vendor_ts__ra_ap_project_model-0.0.288",
+    "vendor_ts__ra_ap_span-0.0.288",
+    "vendor_ts__ra_ap_stdx-0.0.288",
+    "vendor_ts__ra_ap_syntax-0.0.288",
+    "vendor_ts__ra_ap_vfs-0.0.288",
+    "vendor_ts__rand-0.9.1",
    "vendor_ts__rayon-1.10.0",
    "vendor_ts__regex-1.11.1",
    "vendor_ts__serde-1.0.219",
-    "vendor_ts__serde_json-1.0.142",
-    "vendor_ts__serde_with-3.14.0",
-    "vendor_ts__syn-2.0.104",
-    "vendor_ts__toml-0.9.5",
+    "vendor_ts__serde_json-1.0.140",
+    "vendor_ts__serde_with-3.13.0",
+    "vendor_ts__syn-2.0.103",
+    "vendor_ts__toml-0.8.23",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
    "vendor_ts__tracing-subscriber-0.3.19",
@@ -172,7 +169,7 @@ http_archive(
 )

 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.300")
+dotnet.toolchain(dotnet_version = "9.0.100")
 use_repo(dotnet, "dotnet_toolchains")

 register_toolchains("@dotnet_toolchains//:all")
@@ -263,7 +260,7 @@ use_repo(
 )

 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.25.0")
+go_sdk.download(version = "1.24.0")

 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
--- a/README.md
+++ b/README.md
@@ -29,3 +29,5 @@ You can install the [CodeQL for Visual Studio Code](https://marketplace.visualst
 ### Tasks

 The `.vscode/tasks.json` file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the `Terminal | Run Task...` menu option, and then select the desired task from the dropdown. You can also invoke the `Tasks: Run Task` command from the command palette.
+
+
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
--- a/actions/extractor/codeql-extractor.yml
+++ b/actions/extractor/codeql-extractor.yml
@@ -1,17 +1,14 @@
 name: "actions"
+aliases: []
 display_name: "GitHub Actions"
 version: 0.0.1
 column_kind: "utf16"
 unicode_newlines: true
 build_modes:
  - none
-default_queries:
-  - codeql/actions-queries
-# Actions workflows are not reported separately by the GitHub API, so we can't
-# associate them with a specific language.
+file_coverage_languages: []
 github_api_languages: []
-scc_languages:
-  - YAML
+scc_languages: []
 file_types:
  - name: workflow
    display_name: GitHub Actions workflow files
--- a/actions/extractor/tools/baseline-config.json
+++ b/actions/extractor/tools/baseline-config.json
@@ -1,10 +0,0 @@
-{
-    "paths": [
-        ".github/workflows/*.yml",
-        ".github/workflows/*.yaml",
-        ".github/reusable_workflows/**/*.yml",
-        ".github/reusable_workflows/**/*.yaml",
-        "**/action.yml",
-        "**/action.yaml"
-    ]
-}
--- a/actions/extractor/tools/configure-baseline.cmd
+++ b/actions/extractor/tools/configure-baseline.cmd
@@ -1,2 +0,0 @@
-@echo off
-type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
--- a/actions/extractor/tools/configure-baseline.sh
+++ b/actions/extractor/tools/configure-baseline.sh
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -1,4 +1,3 @@
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -1,5 +1,4 @@
 ql/actions/ql/src/Debug/SyntaxError.ql
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -1,4 +1,3 @@
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,15 +1,3 @@
-## 0.4.17
-
-No user-facing changes.
-
-## 0.4.16
-
-No user-facing changes.
-
-## 0.4.15
-
-No user-facing changes.
-
 ## 0.4.14

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.15.md
+++ b/actions/ql/lib/change-notes/released/0.4.15.md
@@ -1,3 +0,0 @@
-## 0.4.15
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.16.md
+++ b/actions/ql/lib/change-notes/released/0.4.16.md
@@ -1,3 +0,0 @@
-## 0.4.16
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.17.md
+++ b/actions/ql/lib/change-notes/released/0.4.17.md
@@ -1,3 +0,0 @@
-## 0.4.17
-
-No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.17
+lastReleaseVersion: 0.4.14
--- a/actions/ql/lib/codeql/Locations.qll
+++ b/actions/ql/lib/codeql/Locations.qll
@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {

  /**
   * Holds if this element is at the specified location.
-   * The location spans column `sc` of line `sl` to
-   * column `ec` of line `el` in file `p`.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
   * For more information, see
   * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
--- a/actions/ql/lib/codeql/actions/Ast.qll
+++ b/actions/ql/lib/codeql/actions/Ast.qll
@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
 }

 /**
- * An Environment node representing a deployment environment.
+ * An Environemnt node representing a deployment environment.
 */
 class Environment extends AstNode instanceof EnvironmentImpl {
  string getName() { result = super.getName() }
--- a/actions/ql/lib/codeql/actions/ast/internal/Ast.qll
+++ b/actions/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -125,11 +125,12 @@ abstract class AstNodeImpl extends TAstNode {
   * Gets the enclosing Step.
   */
  StepImpl getEnclosingStep() {
-    this instanceof StepImpl and
-    result = this
-    or
-    this instanceof ScalarValueImpl and
-    result.getAChildNode*() = this.getParentNode()
+    if this instanceof StepImpl
+    then result = this
+    else
+      if this instanceof ScalarValueImpl
+      then result.getAChildNode*() = this.getParentNode()
+      else none()
  }

  /**
@@ -1415,8 +1416,9 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
  override string getVersion() {
    exists(YamlString name |
      n.lookup("uses") = name and
-      not name.getValue().matches("\\.%") and
-      result = name.getValue().regexpCapture(repoUsesParser(), 4)
+      if not name.getValue().matches("\\.%")
+      then result = name.getValue().regexpCapture(repoUsesParser(), 4)
+      else none()
    )
  }
 }
--- a/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll
+++ b/actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll
@@ -286,7 +286,7 @@ private module Cached {
  /**
   * Holds if `cfn` is the `i`th node in basic block `bb`.
   *
-   * In other words, `i` is the shortest distance from a node `bbStart`
+   * In other words, `i` is the shortest distance from a node `bb`
   * that starts a basic block to `cfn` along the `intraBBSucc` relation.
   */
  cached
--- a/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
+++ b/actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
@@ -3,8 +3,6 @@ private import codeql.controlflow.Cfg as CfgShared
 private import codeql.Locations

 module Completion {
-  import codeql.controlflow.SuccessorType
-
  private newtype TCompletion =
    TSimpleCompletion() or
    TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -27,7 +25,7 @@ module Completion {

    override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }

-    override DirectSuccessor getAMatchingSuccessorType() { any() }
+    override NormalSuccessor getAMatchingSuccessorType() { any() }
  }

  class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -51,6 +49,34 @@ module Completion {

    override ReturnSuccessor getAMatchingSuccessorType() { any() }
  }
+
+  cached
+  private newtype TSuccessorType =
+    TNormalSuccessor() or
+    TBooleanSuccessor(boolean b) { b in [false, true] } or
+    TReturnSuccessor()
+
+  class SuccessorType extends TSuccessorType {
+    string toString() { none() }
+  }
+
+  class NormalSuccessor extends SuccessorType, TNormalSuccessor {
+    override string toString() { result = "successor" }
+  }
+
+  class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
+    boolean value;
+
+    BooleanSuccessor() { this = TBooleanSuccessor(value) }
+
+    override string toString() { result = value.toString() }
+
+    boolean getValue() { result = value }
+  }
+
+  class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
+    override string toString() { result = "return" }
+  }
 }

 module CfgScope {
@@ -101,8 +127,14 @@ private module Implementation implements CfgShared::InputSig<Location> {
    last(scope.(CompositeAction), e, c)
  }

+  predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
+
+  predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
+
  SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }

+  predicate isAbnormalExitType(SuccessorType t) { none() }
+
  int idOfAstNode(AstNode node) { none() }

  int idOfCfgScope(CfgScope scope) { none() }
--- a/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
+++ b/actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
    (
      if fieldName.trim().matches("env.%")
      then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
-      else (
-        fieldName.trim().matches("output.%") and
-        source.asExpr() = uses
-      )
+      else
+        if fieldName.trim().matches("output.%")
+        then source.asExpr() = uses
+        else none()
    )
  )
 }
--- a/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
+++ b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
 class GitHubCtxSource extends RemoteFlowSource {
  string flag;
  string event;
+  GitHubExpression e;

  GitHubCtxSource() {
-    exists(GitHubExpression e |
-      this.asExpr() = e and
-      // github.head_ref
-      e.getFieldName() = "head_ref" and
-      flag = "branch"
-    |
+    this.asExpr() = e and
+    // github.head_ref
+    e.getFieldName() = "head_ref" and
+    flag = "branch" and
+    (
      event = e.getATriggerEvent().getName() and
      event = "pull_request_target"
      or
@@ -148,6 +148,7 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
  string cmd;
  string flag;
+  string access_path;
  Run run;

  // Examples
@@ -162,7 +163,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
    run.getScript().getACommand() = cmd and
    cmd.matches("jq%") and
    cmd.matches("%GITHUB_EVENT_PATH%") and
-    exists(string regexp, string access_path |
+    exists(string regexp |
      untrustedEventPropertiesDataModel(regexp, flag) and
      not flag = "json" and
      access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
--- a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -1,7 +1,6 @@
 private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
-private import codeql.actions.security.ControlChecks
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow

@@ -19,6 +18,7 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
 */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  string command;
+  string argument;

  ArgumentInjectionFromEnvVarSink() {
    exists(Run run, string var |
@@ -27,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
        exists(run.getInScopeEnvVarExpr(var)) or
        var = "GITHUB_HEAD_REF"
      ) and
-      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
    )
  }

@@ -43,12 +43,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
 */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
  string command;
+  string argument;

  ArgumentInjectionFromCommandSink() {
    exists(CommandSource source, Run run |
      run = source.getEnclosingRun() and
      this.asExpr() = run.getScript() and
-      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
    )
  }

@@ -64,16 +65,6 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
  override string getCommand() { result = "unknown" }
 }

-/**
- * Gets the event that is relevant for the given node in the context of argument injection.
- *
- * This is used to highlight the event in the query results when an alert is raised.
- */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
-  inPrivilegedContext(node.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
-}
-
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate a code script.
@@ -97,16 +88,6 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
      run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
    )
  }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
--- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -4,7 +4,6 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
-import codeql.actions.security.ControlChecks

 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }

@@ -125,6 +124,8 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep,
 }

 class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
+  string script;
+
  ActionsGitHubScriptDownloadStep() {
    // eg:
    // - uses: actions/github-script@v6
@@ -147,14 +148,12 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
    //      var fs = require('fs');
    //      fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
    this.getCallee() = "actions/github-script" and
-    exists(string script |
-      this.getArgument("script") = script and
-      script.matches("%listWorkflowRunArtifacts(%") and
-      script.matches("%downloadArtifact(%") and
-      script.matches("%writeFileSync(%") and
-      // Filter out artifacts that were created by pull-request.
-      not script.matches("%exclude_pull_requests: true%")
-    )
+    this.getArgument("script") = script and
+    script.matches("%listWorkflowRunArtifacts(%") and
+    script.matches("%downloadArtifact(%") and
+    script.matches("%writeFileSync(%") and
+    // Filter out artifacts that were created by pull-request.
+    not script.matches("%exclude_pull_requests: true%")
  }

  override string getPath() {
@@ -171,10 +170,10 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
                .getScript()
                .getACommand()
                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else (
-      this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) and
-      result = "GITHUB_WORKSPACE/"
-    )
+    else
+      if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
+      then result = "GITHUB_WORKSPACE/"
+      else none()
  }
 }

@@ -207,13 +206,12 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
                .getScript()
                .getACommand()
                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
-    else (
-      (
+    else
+      if
        this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
        this.getScript().getACommand().regexpMatch(unzipRegexp())
-      ) and
-      result = "GITHUB_WORKSPACE/"
-    )
+      then result = "GITHUB_WORKSPACE/"
+      else none()
  }
 }

@@ -260,15 +258,15 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {

 class ArtifactPoisoningSink extends DataFlow::Node {
  UntrustedArtifactDownloadStep download;
+  PoisonableStep poisonable;

  ArtifactPoisoningSink() {
-    exists(PoisonableStep poisonable |
-      download.getAFollowingStep() = poisonable and
-      // excluding artifacts downloaded to the temporary directory
-      not download.getPath().regexpMatch("^/tmp.*") and
-      not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
-      not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*")
-    |
+    download.getAFollowingStep() = poisonable and
+    // excluding artifacts downloaded to the temporary directory
+    not download.getPath().regexpMatch("^/tmp.*") and
+    not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
+    not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
+    (
      poisonable.(Run).getScript() = this.asExpr() and
      (
        // Check if the poisonable step is a local script execution step
@@ -294,16 +292,6 @@ class ArtifactPoisoningSink extends DataFlow::Node {
  string getPath() { result = download.getPath() }
 }

-/**
- * Gets the event that is relevant for the given node in the context of artifact poisoning.
- *
- * This is used to highlight the event in the query results when an alert is raised.
- */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
-  inPrivilegedContext(node.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(node.asExpr(), result, "artifact-poisoning"))
-}
-
 /**
 * A taint-tracking configuration for unsafe artifacts
 * that is used may lead to artifact poisoning
@@ -330,16 +318,6 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }

 /** Tracks flow of unsafe artifacts that is used in an insecure way. */
--- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -3,8 +3,6 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
-import codeql.actions.security.ControlChecks
-import codeql.actions.security.CachePoisoningQuery

 class CodeInjectionSink extends DataFlow::Node {
  CodeInjectionSink() {
@@ -13,46 +11,6 @@ class CodeInjectionSink extends DataFlow::Node {
  }
 }

-/**
- * Get the relevant event for the sink in CodeInjectionCritical.ql.
- */
-Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.asExpr() and
-    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
-  )
-}
-
-/**
- * Get the relevant event for the sink in CachePoisoningViaCodeInjection.ql.
- */
-Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) {
-  exists(LocalJob job |
-    job = sink.asExpr().getEnclosingJob() and
-    job.getATriggerEvent() = result and
-    // job can be triggered by an external user
-    result.isExternallyTriggerable() and
-    // excluding privileged workflows since they can be exploited in easier circumstances
-    // which is covered by `actions/code-injection/critical`
-    not job.isPrivilegedExternallyTriggerable(result) and
-    (
-      // the workflow runs in the context of the default branch
-      runsOnDefaultBranch(result)
-      or
-      // the workflow caller runs in the context of the default branch
-      result.getName() = "workflow_call" and
-      exists(ExternalJob caller |
-        caller.getCallee() = job.getLocation().getFile().getRelativePath() and
-        runsOnDefaultBranch(caller.getATriggerEvent())
-      )
-    )
-  )
-}
-
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate a code script.
@@ -77,18 +35,6 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantCriticalEventForSink(sink).getLocation()
-    or
-    result = getRelevantCachePoisoningEventForSink(sink).getLocation()
-  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
--- a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
@@ -3,20 +3,11 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
-import codeql.actions.security.ControlChecks

 private class CommandInjectionSink extends DataFlow::Node {
  CommandInjectionSink() { madSink(this, "command-injection") }
 }

-/** Get the relevant event for the sink in CommandInjectionCritical.ql. */
-Event getRelevantEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["command-injection", "code-injection"])
-  )
-}
-
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate a system command.
@@ -25,16 +16,6 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantEventInPrivilegedContext(sink).getLocation()
-  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
--- a/actions/ql/lib/codeql/actions/security/ControlChecks.qll
+++ b/actions/ql/lib/codeql/actions/security/ControlChecks.qll
@@ -159,8 +159,11 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {

 /* Specific implementations of control checks */
 class LabelIfCheck extends LabelCheck instanceof If {
+  string condition;
+
  LabelIfCheck() {
-    exists(string condition | condition = normalizeExpr(this.getCondition()) |
+    condition = normalizeExpr(this.getCondition()) and
+    (
      // eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
      condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
      or
--- a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -72,25 +72,6 @@ class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink {
  EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") }
 }

-/**
- * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is "artifact".
- */
-Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["untrusted-checkout", "artifact-poisoning"])
-  ) and
-  sink instanceof EnvPathInjectionFromFileReadSink
-}
-
-/**
- * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is not "artifact".
- */
-Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection"))
-}
-
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate an environment variable.
@@ -127,18 +108,6 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
-    or
-    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
-  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
--- a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -55,8 +55,12 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
 *          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
 */
 class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
+  CommandSource inCommand;
+  string injectedVar;
+  string command;
+
  EnvVarInjectionFromCommandSink() {
-    exists(Run run, CommandSource inCommand, string injectedVar, string command |
+    exists(Run run |
      this.asExpr() = inCommand.getEnclosingRun().getScript() and
      run = inCommand.getEnclosingRun() and
      run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
@@ -82,8 +86,12 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
 *      echo "FOO=$BODY" >> $GITHUB_ENV
 */
 class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
+  string inVar;
+  string injectedVar;
+  string command;
+
  EnvVarInjectionFromEnvVarSink() {
-    exists(Run run, string inVar, string injectedVar, string command |
+    exists(Run run |
      run.getScript() = this.asExpr() and
      exists(run.getInScopeEnvVarExpr(inVar)) and
      run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and
@@ -118,32 +126,6 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
  EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") }
 }

-/**
- * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is "artifact".
- */
-Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check
-        .protects(sink.asExpr(), result,
-          ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
-  ) and
-  (
-    sink instanceof EnvVarInjectionFromFileReadSink or
-    madSink(sink, "envvar-injection")
-  )
-}
-
-/**
- * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is not "artifact".
- */
-Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
-  inPrivilegedContext(sink.asExpr(), result) and
-  not exists(ControlCheck check |
-    check.protects(sink.asExpr(), result, ["envvar-injection", "code-injection"])
-  )
-}
-
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate an environment variable.
@@ -181,18 +163,6 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
-    or
-    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
-  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
--- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -99,14 +99,18 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink {
 *          echo $BODY
 */
 class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
+  string clobbering_var;
+  string clobbered_value;
+
  WorkflowCommandClobberingFromEnvVarSink() {
-    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt, string clobbering_var |
+    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt |
      run.getScript() = this.asExpr() and
      run.getScript().getAStmt() = clobbering_stmt and
      clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
      exists(run.getInScopeEnvVarExpr(clobbering_var)) and
      run.getScript().getAStmt() = workflow_cmd_stmt and
-      exists(trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)))
+      clobbered_value =
+        trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1))
    )
  }
 }
--- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
+++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
@@ -1,8 +1,10 @@
 import actions

 class UnversionedImmutableAction extends UsesStep {
+  string immutable_action;
+
  UnversionedImmutableAction() {
-    isImmutableAction(this, _) and
+    isImmutableAction(this, immutable_action) and
    not isSemVer(this.getVersion())
  }
 }
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.17
+version: 0.4.14
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,17 +1,3 @@
-## 0.6.9
-
-### Minor Analysis Improvements
-
-* Actions analysis now reports file coverage information on the CodeQL status page.
-
-## 0.6.8
-
-No user-facing changes.
-
-## 0.6.7
-
-No user-facing changes.
-
 ## 0.6.6

 No user-facing changes.
--- a/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+++ b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
@@ -1,13 +0,0 @@
-/**
- * @id actions/diagnostics/successfully-extracted-files
- * @name Extracted files
- * @description List all files that were extracted.
- * @kind diagnostic
- * @tags successfully-extracted-files
- */
-
-private import codeql.Locations
-
-from File f
-where exists(f.getRelativePath())
-select f, ""
--- a/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
@@ -21,12 +21,18 @@ import codeql.actions.security.ControlChecks
 from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event
 where
  EnvPathInjectionFlow::flowPath(source, sink) and
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
  (
    not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check.protects(sink.getNode().asExpr(), event, "code-injection")
+    )
    or
    source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
+    ) and
+    sink.getNode() instanceof EnvPathInjectionFromFileReadSink
  )
 select sink.getNode(), source, sink,
  "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).",
--- a/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
@@ -22,15 +22,26 @@ import codeql.actions.security.ControlChecks
 from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event
 where
  EnvVarInjectionFlow::flowPath(source, sink) and
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
  // exclude paths to file read sinks from non-artifact sources
  (
    // source is text
    not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"])
+    )
    or
    // source is an artifact or a file from an untrusted checkout
    source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
+    not exists(ControlCheck check |
+      check
+          .protects(sink.getNode().asExpr(), event,
+            ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
+    ) and
+    (
+      sink.getNode() instanceof EnvVarInjectionFromFileReadSink or
+      madSink(sink.getNode(), "envvar-injection")
+    )
  )
 select sink.getNode(), source, sink,
  "Potential environment variable injection in $@, which may be controlled by an external user ($@).",
--- a/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
@@ -22,8 +22,15 @@ import codeql.actions.security.ControlChecks
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
 where
  CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCriticalEventForSink(sink.getNode()) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName() and
+  not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.getNode().asExpr() and
+    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
+  )
 select sink.getNode(), source, sink,
  "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
--- a/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
@@ -18,13 +18,30 @@ import codeql.actions.security.CachePoisoningQuery
 import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks

-from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event
 where
  CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCachePoisoningEventForSink(sink.getNode()) and
+  job = sink.getNode().asExpr().getEnclosingJob() and
+  job.getATriggerEvent() = event and
+  // job can be triggered by an external user
+  event.isExternallyTriggerable() and
  // the checkout is not controlled by an access check
  not exists(ControlCheck check |
    check.protects(source.getNode().asExpr(), event, "code-injection")
+  ) and
+  // excluding privileged workflows since they can be exploited in easier circumstances
+  // which is covered by `actions/code-injection/critical`
+  not job.isPrivilegedExternallyTriggerable(event) and
+  (
+    // the workflow runs in the context of the default branch
+    runsOnDefaultBranch(event)
+    or
+    // the workflow caller runs in the context of the default branch
+    event.getName() = "workflow_call" and
+    exists(ExternalJob caller |
+      caller.getCallee() = job.getLocation().getFile().getRelativePath() and
+      runsOnDefaultBranch(caller.getATriggerEvent())
+    )
  )
 select sink.getNode(), source, sink,
  "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink,
--- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
@@ -19,7 +19,10 @@ import codeql.actions.security.ControlChecks
 from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event
 where
  ArtifactPoisoningFlow::flowPath(source, sink) and
-  event = getRelevantEventInPrivilegedContext(sink.getNode())
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, "artifact-poisoning")
+  )
 select sink.getNode(), source, sink,
  "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().toString(), event, event.getName()
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
@@ -1,6 +1,6 @@
 ## Overview

-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.

 ## Recommendation

@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
@@ -1,6 +1,6 @@
 ## Overview

-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.

 ## Recommendation

@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
@@ -1,6 +1,6 @@
 ## Overview

-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.

 ## Recommendation

@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/change-notes/released/0.6.7.md
+++ b/actions/ql/src/change-notes/released/0.6.7.md
@@ -1,3 +0,0 @@
-## 0.6.7
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.8.md
+++ b/actions/ql/src/change-notes/released/0.6.8.md
@@ -1,3 +0,0 @@
-## 0.6.8
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.9.md
+++ b/actions/ql/src/change-notes/released/0.6.9.md
@@ -1,5 +0,0 @@
-## 0.6.9
-
-### Minor Analysis Improvements
-
-* Actions analysis now reports file coverage information on the CodeQL status page.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.9
+lastReleaseVersion: 0.6.6
--- a/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+++ b/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
@@ -21,7 +21,10 @@ import codeql.actions.security.ControlChecks
 from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event
 where
  CommandInjectionFlow::flowPath(source, sink) and
-  event = getRelevantEventInPrivilegedContext(sink.getNode())
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"])
+  )
 select sink.getNode(), source, sink,
  "Potential command injection in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
--- a/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+++ b/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
@@ -20,7 +20,10 @@ import codeql.actions.security.ControlChecks
 from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event
 where
  ArgumentInjectionFlow::flowPath(source, sink) and
-  event = getRelevantEventInPrivilegedContext(sink.getNode())
+  inPrivilegedContext(sink.getNode().asExpr(), event) and
+  not exists(ControlCheck check |
+    check.protects(sink.getNode().asExpr(), event, "argument-injection")
+  )
 select sink.getNode(), source, sink,
  "Potential argument injection in $@ command, which may be controlled by an external user ($@).",
  sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName()
--- a/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+++ b/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
@@ -37,6 +37,8 @@ where
    )
    or
    // upload artifact is not used in the same workflow
-    not download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() instanceof UsesStep
+    not exists(UsesStep upload |
+      download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload
+    )
  )
 select download, "Potential artifact poisoning"
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.9
+version: 0.6.6
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/config/add-overlay-annotations.py
+++ b/config/add-overlay-annotations.py
@@ -177,12 +177,6 @@ def insert_overlay_caller_annotations(lines):
        out_lines.append(line)
    return out_lines

-explicitly_global = set([
-    "java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll",
-    "java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll",
-    "java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll",
-    "java/ql/lib/semmle/code/java/dispatch/internal/Unification.qll",
-])

 def annotate_as_appropriate(filename, lines):
    '''
@@ -202,9 +196,6 @@ def annotate_as_appropriate(filename, lines):
        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
         any("implements DataFlow::ConfigSig" in line for line in lines))):
        return None
-    elif filename in explicitly_global:
-        # These files are explicitly global and should not be annotated.
-        return None
    elif not any(line for line in lines if line.strip()):
        return None

--- a/cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/old.dbscheme
+++ b/cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/old.dbscheme
--- a/cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties
+++ b/cpp/downgrades/c16b29b27f71247023321cc0d0360998b318837c/upgrade.properties
@@ -1,4 +0,0 @@
-description: Link PCH creations and uses
-compatibility: full
-pch_uses.rel: delete
-pch_creations.rel: delete
--- a/Show More
+++ b/Show More