Merge pull request #22059 from github/release-prep/2.26.0

Release preparation for version 2.26.0

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.4.38
+
+### Bug Fixes
+
+* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
+
 ## 0.4.37
 
 ### Minor Analysis Improvements

actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.

actions/ql/lib/change-notes/released/0.4.38.md

@@ -0,0 +1,6 @@
+## 0.4.38
+
+### Bug Fixes
+
+* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.37
+lastReleaseVersion: 0.4.38

actions/ql/lib/codeql/actions/security/ControlChecks.qll

@@ -42,6 +42,15 @@ string actor_not_attacker_event() {
     ]
 }
 
+/**
+ * Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
+ * reusable workflow containing `ej`. Used with transitive closure to
+ * walk up nested reusable workflow chains.
+ */
+private ExternalJob getAnOuterCaller(ExternalJob ej) {
+  result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
+}
+
 /** An If node that contains an actor, user or label check */
 abstract class ControlCheck extends AstNode {
   ControlCheck() {
@@ -53,43 +62,170 @@ abstract class ControlCheck extends AstNode {
 
   predicate protects(AstNode node, Event event, string category) {
     // The check dominates the step it should protect
-    this.dominates(node) and
+    this.dominates(node, event) and
     // The check is effective against the event and category
     this.protectsCategoryAndEvent(category, event.getName()) and
     // The check can be triggered by the event
-    this.getATriggerEvent() = event
+    this.getATriggerEvent() = event and
+    // For reusable workflows, there must be no unprotected caller chain for this event.
+    (
+      not node.getEnclosingWorkflow() instanceof ReusableWorkflow
+      or
+      this.dominatesSameWorkflow(node, event)
+      or
+      not exists(ExternalJob directCaller |
+        directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
+        unprotectedCallerChain(directCaller, event, category)
+      )
+    )
   }
 
-  predicate dominates(AstNode node) {
+  /**
+   * Holds if this control check must execute and pass before `node` can run.
+   */
+  predicate dominates(AstNode node, Event event) {
+    this.dominatesSameWorkflow(node, event)
+    or
+    // When the node is inside a reusable workflow,
+    // this check dominates via at least one caller chain.
+    this.dominatesViaCaller(node, event, _)
+  }
+
+  /**
+   * Holds if this control check dominates `node` within the same workflow.
+   */
+  predicate dominatesSameWorkflow(AstNode node, Event event) {
+    this.getATriggerEvent() = event and
+    (
+      // Step-level: the check is an `if:` on the step containing `node`,
+      // or on the enclosing job, or on a needed job/step.
+      this instanceof If and
+      (
+        node.getEnclosingStep().getIf() = this or
+        node.getEnclosingJob().getIf() = this or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
+      )
+      or
+      // Job-level: the check is an environment on the enclosing job or a needed job.
+      this instanceof Environment and
+      (
+        node.getEnclosingJob().getEnvironment() = this
+        or
+        node.getEnclosingJob().getANeededJob().getEnvironment() = this
+      )
+      or
+      // Step-level: the check is a Run/UsesStep that precedes `node`'s step
+      // in the same job, or is a step in a needed job.
+      (
+        this instanceof Run or
+        this instanceof UsesStep
+      ) and
+      (
+        this.(Step).getAFollowingStep() = node.getEnclosingStep()
+        or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
+      )
+    )
+  }
+
+  /**
+   * Holds if this control check dominates `node` in a reusable workflow
+   * via the caller chain starting at `directCaller`.
+   */
+  predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
+    directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
+    directCaller.getATriggerEvent() = event and
+    exists(ExternalJob caller |
+      caller = getAnOuterCaller*(directCaller) and
+      this.dominatesCaller(caller)
+    )
+  }
+
+  /**
+   * Holds if this control check directly dominates `caller`.
+   */
+  predicate dominatesCaller(ExternalJob caller) {
     this instanceof If and
     (
-      node.getEnclosingStep().getIf() = this or
-      node.getEnclosingJob().getIf() = this or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
+      caller.getIf() = this or
+      caller.getANeededJob().(LocalJob).getIf() = this or
+      caller.getANeededJob().(LocalJob).getAStep().getIf() = this
     )
     or
     this instanceof Environment and
     (
-      node.getEnclosingJob().getEnvironment() = this
-      or
-      node.getEnclosingJob().getANeededJob().getEnvironment() = this
+      caller.getEnvironment() = this or
+      caller.getANeededJob().getEnvironment() = this
     )
     or
-    (
-      this instanceof Run or
-      this instanceof UsesStep
-    ) and
-    (
-      this.(Step).getAFollowingStep() = node.getEnclosingStep()
-      or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
-    )
+    (this instanceof Run or this instanceof UsesStep) and
+    caller.getANeededJob().(LocalJob).getAStep() = this
   }
 
   abstract predicate protectsCategoryAndEvent(string category, string event);
 }
 
+/**
+ * Holds if this control check directly protects `caller`.
+ */
+bindingset[caller, event, category]
+private predicate protectedCaller(ExternalJob caller, Event event, string category) {
+  exists(ControlCheck check |
+    check.protectsCategoryAndEvent(category, event.getName()) and
+    check.getATriggerEvent() = event and
+    check.dominatesCaller(caller)
+  )
+}
+
+cached
+private newtype TCallerState =
+  MkCallerState(ExternalJob caller, Event event, string category) {
+    caller.getATriggerEvent() = event and
+    category = any_category()
+  }
+
+private class CallerState extends TCallerState, MkCallerState {
+  ExternalJob caller;
+  Event event;
+  string category;
+
+  CallerState() { this = MkCallerState(caller, event, category) }
+
+  ExternalJob getCaller() { result = caller }
+
+  Event getEvent() { result = event }
+
+  string getCategory() { result = category }
+
+  /**
+   * Gets an outer caller state if this caller is not protected.
+   */
+  CallerState getUnprotectedOuterState() {
+    not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
+    result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
+  }
+
+  predicate isUnprotectedOutermost() {
+    not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
+    not exists(getAnOuterCaller(this.getCaller()))
+  }
+
+  string toString() { result = caller + " / " + event + " / " + category }
+}
+
+/**
+ * Holds if there is a caller path from `caller` to an outer workflow that has no protection.
+ */
+bindingset[caller, event, category]
+private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
+  exists(CallerState start, CallerState outermost |
+    start = MkCallerState(caller, event, category) and
+    outermost = start.getUnprotectedOuterState*() and
+    outermost.isUnprotectedOutermost()
+  )
+}
+
 abstract class AssociationCheck extends ControlCheck {
   // Checks if the actor is a MEMBER/OWNER the repo
   // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.38-dev
+version: 0.4.38
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.6.30
+
+### Query Metadata Changes
+
+* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
+
 ## 0.6.29
 
 ### Query Metadata Changes

actions/ql/src/Security/CWE-285/ImproperAccessControl.ql

@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
 where
   job.isPrivileged() and
   job.getAStep() = checkout and
-  check.dominates(checkout) and
+  check.dominates(checkout, event) and
   (
     job.getATriggerEvent() = event and
     event.getName() = "pull_request_target" and

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -34,8 +34,8 @@ where
         check instanceof AssociationCheck or
         check instanceof PermissionCheck
       ) and
-      check.dominates(checkout) and
-      date_check.dominates(checkout)
+      check.dominates(checkout, event) and
+      date_check.dominates(checkout, event)
     )
     or
     // not issue_comment triggered workflows

actions/ql/src/change-notes/released/0.6.30.md

@@ -1,4 +1,5 @@
----
-category: queryMetadata
----
+## 0.6.30
+
+### Query Metadata Changes
+
 * The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.29
+lastReleaseVersion: 0.6.30

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.30-dev
+version: 0.6.30
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml

@@ -0,0 +1,17 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.COMMIT_SHA }}
+      - run: |
+          npm install
+          npm run lint
+      

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested.yml

@@ -0,0 +1,13 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  build:
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
+
+      

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml

@@ -0,0 +1,33 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build_safe:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
+  build_unsafe:
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml

@@ -0,0 +1,31 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    runs-on: ubuntu-latest
+    #needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # should alert
+          fetch-depth: 2
+      - run: yarn test

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable2.yml

@@ -0,0 +1,31 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build_unsafe:
+    # needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
+  build_safe:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml

@@ -0,0 +1,8 @@
+on:
+  pull_request_target:
+
+jobs:
+  build:
+    uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_level2.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    # needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permissions_check.yml

@@ -0,0 +1,41 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    runs-on: ubuntu-latest
+    needs: is-collaborator
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
+          fetch-depth: 2
+      - run: yarn test
+  build_unsafe:
+    runs-on: ubuntu-latest
+    # needs: is-collaborator
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
+          fetch-depth: 2
+      - run: yarn test

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_two_callers_both_protected.yml

@@ -0,0 +1,48 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator-a:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  caller-a:
+    needs: is-collaborator-a
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+  is-collaborator-b:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  caller-b:
+    needs: is-collaborator-b
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -93,6 +93,8 @@ edges
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
 | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
 | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
@@ -334,6 +336,17 @@ edges
 | .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
 | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
 | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
+| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
+| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
 | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
@@ -344,6 +357,9 @@ edges
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
@@ -377,3 +393,5 @@ edges
 | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
 | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 11.0.0
+
+### Breaking Changes
+
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
+
 ## 10.2.0
 
 ### Deprecated APIs

cpp/ql/lib/change-notes/released/11.0.0.md

@@ -1,6 +1,7 @@
----
-category: breaking
----
+## 11.0.0
+
+### Breaking Changes
+
 * Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
 * Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
 * Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.2.0
+lastReleaseVersion: 11.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.2.1-dev
+version: 11.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.6.5
+
+No user-facing changes.
+
 ## 1.6.4
 
 No user-facing changes.

cpp/ql/src/change-notes/released/1.6.5.md

@@ -0,0 +1,3 @@
+## 1.6.5
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.4
+lastReleaseVersion: 1.6.5

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.5-dev
+version: 1.6.5
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.69
+
+No user-facing changes.
+
 ## 1.7.68
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.69.md

@@ -0,0 +1,3 @@
+## 1.7.69
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.68
+lastReleaseVersion: 1.7.69

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.69-dev
+version: 1.7.69
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.69
+
+No user-facing changes.
+
 ## 1.7.68
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.69.md

@@ -0,0 +1,3 @@
+## 1.7.69
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.68
+lastReleaseVersion: 1.7.69

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.69-dev
+version: 1.7.69
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 7.0.0
+
+### Breaking Changes
+
+* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
+
+### Major Analysis Improvements
+
+* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
+
+### Minor Analysis Improvements
+
+* Improved property and indexer call target resolution for partially overridden properties and indexers.
+* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
+* Improved call target resolution for ref-return properties and indexers.
+
 ## 6.0.2
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.

csharp/ql/lib/change-notes/2026-05-22-property-indexer-partial-override.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved property and indexer call target resolution for partially overridden properties and indexers.

csharp/ql/lib/change-notes/2026-06-12-razor-page-handler-sources.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.

csharp/ql/lib/change-notes/2026-06-12-restructure-operations.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.

csharp/ql/lib/change-notes/released/7.0.0.md

@@ -0,0 +1,15 @@
+## 7.0.0
+
+### Breaking Changes
+
+* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
+
+### Major Analysis Improvements
+
+* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
+
+### Minor Analysis Improvements
+
+* Improved property and indexer call target resolution for partially overridden properties and indexers.
+* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
+* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.2
+lastReleaseVersion: 7.0.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.3-dev
+version: 7.0.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.5
+
+No user-facing changes.
+
 ## 1.7.4
 
 No user-facing changes.

csharp/ql/src/Dead Code/DeadStoreOfLocal.ql

@@ -14,54 +14,6 @@
 
 import csharp
 
-/**
- * Gets a callable that either directly captures local variable `v`, or which
- * is enclosed by the callable that declares `v` and encloses a callable that
- * captures `v`.
- */
-Callable getACapturingCallableAncestor(LocalVariable v) {
-  result = v.getACapturingCallable()
-  or
-  exists(Callable mid | mid = getACapturingCallableAncestor(v) |
-    result = mid.getEnclosingCallable() and
-    not v.getEnclosingCallable() = result
-  )
-}
-
-Expr getADelegateExpr(Callable c) {
-  c = result.(CallableAccess).getTarget()
-  or
-  result = c.(AnonymousFunctionExpr)
-}
-
-/**
- * Holds if `c` is a call where any delegate argument is evaluated immediately.
- */
-predicate nonEscapingCall(Call c) {
-  exists(string name | c.getTarget().hasName(name) |
-    name =
-      [
-        "ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
-        "LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
-      ]
-  )
-}
-
-/**
- * Holds if `v` is a captured local variable, and one of the callables capturing
- * `v` may escape the local scope.
- */
-predicate mayEscape(LocalVariable v) {
-  exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
-    e = getADelegateExpr(c) and
-    DataFlow::localExprFlow(e, succ) and
-    not succ = any(DelegateCall dc).getExpr() and
-    not succ = any(Cast cast).getExpr() and
-    not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
-    not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
-  )
-}
-
 class RelevantDefinition extends AssignableDefinition {
   RelevantDefinition() {
     this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
@@ -94,8 +46,6 @@ class RelevantDefinition extends AssignableDefinition {
       // SSA definitions are only created for live variables
       this = any(SsaExplicitWrite ssaDef).getDefinition()
       or
-      mayEscape(v)
-      or
       v.isCaptured()
     )
   }

csharp/ql/src/change-notes/released/1.7.5.md

@@ -0,0 +1,3 @@
+## 1.7.5
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.4
+lastReleaseVersion: 1.7.5

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.5-dev
+version: 1.7.5
 groups:
   - csharp
   - queries

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.52
+
+No user-facing changes.
+
 ## 1.0.51
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.52.md

@@ -0,0 +1,3 @@
+## 1.0.52
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.51
+lastReleaseVersion: 1.0.52

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.52-dev
+version: 1.0.52
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 7.2.0
+
+### Deprecated APIs
+
+* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
+
+### Minor Analysis Improvements
+
+* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
+  `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
+  variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
+  `go/log-injection` and `go/clear-text-logging` queries cover code that logs
+  through `slog`.
+* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
+* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
+* More logging functions are now recognized as not returning or panicking.
+
 ## 7.1.2
 
 No user-facing changes.

go/ql/lib/change-notes/2026-06-01-non-returning-functions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* More logging functions are now recognized as not returning or panicking.

go/ql/lib/change-notes/2026-06-08-deprecate-functypeexpr-getresultdecl.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.

go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.

go/ql/lib/change-notes/2026-06-08-functypeexpr-getnumresult.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.

go/ql/lib/change-notes/2026-06-17-model-log-slog.md

@@ -1,8 +0,0 @@
----
-category: minorAnalysis
----
-* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
-  `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
-  variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
-  `go/log-injection` and `go/clear-text-logging` queries cover code that logs
-  through `slog`.

go/ql/lib/change-notes/released/7.2.0.md

@@ -0,0 +1,16 @@
+## 7.2.0
+
+### Deprecated APIs
+
+* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
+
+### Minor Analysis Improvements
+
+* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
+  `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
+  variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
+  `go/log-injection` and `go/clear-text-logging` queries cover code that logs
+  through `slog`.
+* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
+* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
+* More logging functions are now recognized as not returning or panicking.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.2
+lastReleaseVersion: 7.2.0

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.3-dev
+version: 7.2.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.6.5
+
+### Minor Analysis Improvements
+
+* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
+
 ## 1.6.4
 
 No user-facing changes.

go/ql/src/change-notes/released/1.6.5.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.6.5
+
+### Minor Analysis Improvements
+
 * The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.4
+lastReleaseVersion: 1.6.5

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.5-dev
+version: 1.6.5
 groups:
   - go
   - queries

java/ql/integration-tests/java/buildless-inherit-trust-store/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-inherit-trust-store/test.py

@@ -21,6 +21,7 @@ def test(codeql, java, cwd, check_diagnostics_java):
             _env={
                 "MAVEN_OPTS": maven_opts,
                 "CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
+                "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
             },
         )
     finally:

java/ql/integration-tests/java/buildless-maven-executable-war/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
@@ -10,9 +12,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven-executable-war/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-executable-war/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/buildless-maven-executable-war/test.py

@@ -1,7 +1,10 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     codeql.database.create(
         _env={
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected

@@ -1,6 +1,6 @@
-Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar

java/ql/integration-tests/java/buildless-maven-existing-settings-xml/pom.xml

@@ -111,4 +111,30 @@
       </plugins>
     </pluginManagement>
   </build>
+
+  <!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>

java/ql/integration-tests/java/buildless-maven-mirrorof/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -22,5 +24,3 @@ https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.1
 https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
 https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
 https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
-https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
-https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar

java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected

@@ -73,6 +73,6 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
-Downloaded from mirror-force-central: https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.pom
-Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
-Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom

java/ql/integration-tests/java/buildless-maven-mirrorof/pom.xml

@@ -111,4 +111,30 @@
       </plugins>
     </pluginManagement>
   </build>
+
+  <!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>

java/ql/integration-tests/java/buildless-maven-mirrorof/settings-xml.expected

@@ -5,11 +5,11 @@
             
         <mirror>
                   
-            <id>mirror-force-central</id>
+            <id>google-maven-central</id>
                   
-            <name>Mirror Repository</name>
+            <name>GCS Maven Central mirror</name>
                   
-            <url>https://repo1.maven.org/maven2</url>
+            <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
                   
             <mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
                 

java/ql/integration-tests/java/buildless-maven-mirrorof/settings.xml

@@ -1,9 +1,9 @@
 <settings>
   <mirrors>
     <mirror>
-      <id>mirror-force-central</id>
-      <name>Mirror Repository</name>
-      <url>https://repo1.maven.org/maven2</url>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
       <mirrorOf>*</mirrorOf>
     </mirror>
   </mirrors>

java/ql/integration-tests/java/buildless-maven-multimodule/buildless-fetches.expected

@@ -1,3 +1,6 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,10 +12,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven-multimodule/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-multimodule/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 submod1/pom.xml
 submod1/src/main/java/com/example/App.java
 submod1/src/main/resources/my-app.properties

java/ql/integration-tests/java/buildless-maven-multimodule/test.py

@@ -1,7 +1,10 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     codeql.database.create(
         _env={
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/buildless-maven-timeout/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-timeout/source_archive.expected

@@ -1,5 +1,6 @@
 .mvn/wrapper/maven-wrapper.properties
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml

java/ql/integration-tests/java/buildless-maven-timeout/test.py

@@ -1,6 +1,11 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     # mvnw has been rigged to stall for a long time by trying to fetch from a black-hole IP. We should find the timeout logic fires and buildless aborts the Maven run quickly.
     codeql.database.create(
         build_mode="none",
-        _env={"CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5"},
+        _env={
+            "CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5",
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        },
     )

java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/test.py

@@ -1,4 +1,9 @@
+import os
+
 def test(codeql, java, check_diagnostics_java):
     codeql.database.create(
         build_mode="none",
+        _env={
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
+        }
     )

java/ql/integration-tests/java/buildless-maven/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-maven/maven-fetches.expected

@@ -1,6 +1,6 @@
-Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
-Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
 Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar

java/ql/integration-tests/java/buildless-maven/pom.xml

@@ -111,4 +111,30 @@
       </plugins>
     </pluginManagement>
   </build>
+
+  <!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>central</id>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>

java/ql/integration-tests/java/buildless-proxy-maven/buildless-fetches.expected

@@ -1,3 +1,5 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-proxy-maven/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-proxy-maven/source_archive.expected

@@ -1,4 +1,5 @@
 pom.xml
+settings.xml
 src/main/java/com/example/App.java
 src/main/resources/my-app.properties
 src/main/resources/page.xml