Merge remote-tracking branch 'origin/main' into redsun82/just2

Just: run Swift extra-tests sequentially
The parallel attribute causes concurrent sembuild calls that conflict with each other. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-26 17:11:24 +02:00 · 2026-04-15 09:12:25 +02:00 · 2026-04-15 09:10:50 +02:00 · 2026-04-14 14:36:34 +02:00 · 2026-04-14 11:34:25 +02:00 · 2026-04-13 18:02:28 +02:00
1579 changed files with 101067 additions and 208653 deletions
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -70,7 +70,7 @@ jobs:
            SHORTNAME=`basename $DATABASE`
            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
            mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/modelgenerator/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
            cd ..
          }

--- a/.github/workflows/python-tooling.yml
+++ b/.github/workflows/python-tooling.yml
@@ -5,7 +5,7 @@ on:
    paths:
      - "misc/bazel/**"
      - "misc/codegen/**"
-      - "misc/scripts/models-as-data/*.py"
+      - "misc/scripts/models-as-data/bulk_generate_mad.py"
      - "*.bazel*"
      - .github/workflows/codegen.yml
      - .pre-commit-config.yaml
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -140,26 +140,6 @@ version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"

-[[package]]
-name = "bindgen"
-version = "0.72.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895"
-dependencies = [
- "bitflags 2.9.4",
- "cexpr",
- "clang-sys",
- "itertools 0.12.1",
- "log 0.4.28",
- "prettyplease",
- "proc-macro2",
- "quote",
- "regex",
- "rustc-hash 2.1.1",
- "shlex",
- "syn",
-]
-
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -260,9 +240,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.61"
+version = "1.2.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
+checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -270,15 +250,6 @@ dependencies = [
 "shlex",
 ]

-[[package]]
-name = "cexpr"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
-dependencies = [
- "nom",
-]
-
 [[package]]
 name = "cfg-if"
 version = "1.0.3"
@@ -357,7 +328,7 @@ dependencies = [
 "chalk-derive 0.103.0",
 "chalk-ir 0.103.0",
 "ena",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.12.1",
 "petgraph",
 "rustc-hash 1.1.0",
@@ -378,17 +349,6 @@ dependencies = [
 "windows-link 0.2.0",
 ]

-[[package]]
-name = "clang-sys"
-version = "1.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
-dependencies = [
- "glob",
- "libc",
- "libloading",
-]
-
 [[package]]
 name = "clap"
 version = "4.5.48"
@@ -456,7 +416,6 @@ dependencies = [
 "tree-sitter",
 "tree-sitter-json",
 "tree-sitter-ql",
- "yeast",
 "zstd",
 ]

@@ -478,25 +437,6 @@ dependencies = [
 "tree-sitter-ruby",
 ]

-[[package]]
-name = "codeql-extractor-unified"
-version = "0.1.0"
-dependencies = [
- "clap",
- "codeql-extractor",
- "encoding",
- "lazy_static",
- "rayon",
- "regex",
- "serde_json",
- "tracing",
- "tracing-subscriber",
- "tree-sitter",
- "tree-sitter-embedded-template",
- "tree-sitter-swift",
- "yeast",
-]
-
 [[package]]
 name = "codeql-rust"
 version = "0.1.0"
@@ -545,15 +485,6 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"

-[[package]]
-name = "convert_case"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baaaa0ecca5b51987b9423ccdc971514dd8b0bb7b4060b983d3664dad3f1f89f"
-dependencies = [
- "unicode-segmentation",
-]
-
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -807,12 +738,6 @@ dependencies = [
 "typeid",
 ]

-[[package]]
-name = "fastrand"
-version = "2.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
-
 [[package]]
 name = "figment"
 version = "0.10.19"
@@ -829,9 +754,9 @@ dependencies = [

 [[package]]
 name = "find-msvc-tools"
-version = "0.1.9"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
+checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"

 [[package]]
 name = "fixedbitset"
@@ -861,12 +786,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"

-[[package]]
-name = "foldhash"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -951,26 +870,9 @@ checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
 dependencies = [
 "allocator-api2",
 "equivalent",
- "foldhash 0.1.5",
+ "foldhash",
 ]

-[[package]]
-name = "hashbrown"
-version = "0.16.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
-dependencies = [
- "allocator-api2",
- "equivalent",
- "foldhash 0.2.0",
-]
-
-[[package]]
-name = "hashbrown"
-version = "0.17.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
-
 [[package]]
 name = "hashlink"
 version = "0.10.0"
@@ -1157,25 +1059,16 @@ dependencies = [

 [[package]]
 name = "indexmap"
-version = "2.14.0"
+version = "2.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
+checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
 dependencies = [
 "equivalent",
- "hashbrown 0.17.1",
+ "hashbrown 0.15.5",
 "serde",
 "serde_core",
 ]

-[[package]]
-name = "indoc"
-version = "2.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
-dependencies = [
- "rustversion",
-]
-
 [[package]]
 name = "inlinable_string"
 version = "0.1.15"
@@ -1305,16 +1198,6 @@ version = "0.2.175"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543"

-[[package]]
-name = "libloading"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55"
-dependencies = [
- "cfg-if",
- "windows-link 0.2.0",
-]
-
 [[package]]
 name = "line-index"
 version = "0.1.2"
@@ -1380,12 +1263,6 @@ dependencies = [
 "autocfg",
 ]

-[[package]]
-name = "minimal-lexical"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
-
 [[package]]
 name = "miniz_oxide"
 version = "0.8.9"
@@ -1432,16 +1309,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451"

-[[package]]
-name = "nom"
-version = "7.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
-dependencies = [
- "memchr",
- "minimal-lexical",
-]
-
 [[package]]
 name = "notify"
 version = "8.2.0"
@@ -1569,12 +1436,6 @@ dependencies = [
 "windows-targets 0.52.6",
 ]

-[[package]]
-name = "pathdiff"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3"
-
 [[package]]
 name = "pear"
 version = "0.2.9"
@@ -1630,36 +1491,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.14.0",
-]
-
-[[package]]
-name = "phf"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
-dependencies = [
- "phf_shared",
- "serde",
-]
-
-[[package]]
-name = "phf_generator"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "135ace3a761e564ec88c03a77317a7c6b80bb7f7135ef2544dbe054243b89737"
-dependencies = [
- "fastrand",
- "phf_shared",
-]
-
-[[package]]
-name = "phf_shared"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
-dependencies = [
- "siphasher",
+ "indexmap 2.11.4",
 ]

 [[package]]
@@ -1704,25 +1536,6 @@ dependencies = [
 "zerocopy",
 ]

-[[package]]
-name = "prettyplease"
-version = "0.2.37"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
-dependencies = [
- "proc-macro2",
- "syn",
-]
-
-[[package]]
-name = "proc-macro-crate"
-version = "3.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
-dependencies = [
- "toml_edit 0.25.11+spec-1.1.0",
-]
-
 [[package]]
 name = "proc-macro2"
 version = "1.0.101"
@@ -1854,7 +1667,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e876bb2c3e52a8d4e6684526a2d4e81f9d028b939ee4dc5dc775fe10deb44d59"
 dependencies = [
 "dashmap",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "la-arena",
 "ra_ap_cfg",
 "ra_ap_intern",
@@ -1896,7 +1709,7 @@ checksum = "ebffdc134eccabc17209d7760cfff7fd12ed18ab6e21188c5e084b97aa38504c"
 dependencies = [
 "arrayvec",
 "either",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "ra_ap_base_db",
 "ra_ap_cfg",
@@ -1926,7 +1739,7 @@ dependencies = [
 "drop_bomb",
 "either",
 "fst",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "la-arena",
 "ra-ap-rustc_abi",
@@ -1995,7 +1808,7 @@ dependencies = [
 "cov-mark",
 "either",
 "ena",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "la-arena",
 "oorandom",
@@ -2033,7 +1846,7 @@ dependencies = [
 "crossbeam-channel",
 "either",
 "fst",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "line-index",
 "memchr",
@@ -2135,7 +1948,7 @@ version = "0.0.301"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "45db9e2df587d56f0738afa89fb2c100ff7c1e9cbe49e07f6a8b62342832211b"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "ra_ap_intern",
 "ra_ap_paths",
 "ra_ap_span",
@@ -2294,7 +2107,7 @@ checksum = "6c174d6b9b7a7f54687df7e00c3e75ed6f082a7943a9afb1d54f33c0c12773de"
 dependencies = [
 "crossbeam-channel",
 "fst",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "nohash-hasher",
 "ra_ap_paths",
 "ra_ap_stdx",
@@ -2426,15 +2239,6 @@ version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "caf4aa5b0f434c91fe5c7f1ecb6a5ece2130b02ad2a590589dda5146df959001"

-[[package]]
-name = "relative-path"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bca40a312222d8ba74837cb474edef44b37f561da5f773981007a10bbaa992b0"
-dependencies = [
- "serde",
-]
-
 [[package]]
 name = "rowan"
 version = "0.15.15"
@@ -2448,57 +2252,6 @@ dependencies = [
 "text-size",
 ]

-[[package]]
-name = "rquickjs"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a135375fbac5ba723bb6a48f432a72f81539cedde422f0121a86c7c4e96d8e0d"
-dependencies = [
- "rquickjs-core",
- "rquickjs-macro",
-]
-
-[[package]]
-name = "rquickjs-core"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bccb7121a123865c8ace4dea42e7ed84d78b90cbaf4ca32c59849d8d210c9672"
-dependencies = [
- "hashbrown 0.16.1",
- "phf",
- "relative-path",
- "rquickjs-sys",
-]
-
-[[package]]
-name = "rquickjs-macro"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89f93602cc3112c7f30bf5f29e722784232138692c7df4c52ebbac7e035d900d"
-dependencies = [
- "convert_case",
- "fnv",
- "ident_case",
- "indexmap 2.14.0",
- "phf_generator",
- "phf_shared",
- "proc-macro-crate",
- "proc-macro2",
- "quote",
- "rquickjs-core",
- "syn",
-]
-
-[[package]]
-name = "rquickjs-sys"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57b1b6528590d4d65dc86b5159eae2d0219709546644c66408b2441696d1d725"
-dependencies = [
- "bindgen",
- "cc",
-]
-
 [[package]]
 name = "rust-extractor-macros"
 version = "0.1.0"
@@ -2564,7 +2317,7 @@ dependencies = [
 "crossbeam-utils",
 "hashbrown 0.15.5",
 "hashlink",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "intrusive-collections",
 "papaya",
 "parking_lot",
@@ -2653,12 +2406,11 @@ dependencies = [

 [[package]]
 name = "semver"
-version = "1.0.28"
+version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
+checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
 dependencies = [
 "serde",
- "serde_core",
 ]

 [[package]]
@@ -2718,7 +2470,7 @@ version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itoa",
 "memchr",
 "ryu",
@@ -2754,7 +2506,7 @@ dependencies = [
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "schemars 0.9.0",
 "schemars 1.0.4",
 "serde",
@@ -2782,7 +2534,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itoa",
 "ryu",
 "serde",
@@ -2804,18 +2556,6 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"

-[[package]]
-name = "siphasher"
-version = "1.0.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ee5873ec9cce0195efcb7a4e9507a04cd49aec9c83d0389df45b1ef7ba2e649"
-
-[[package]]
-name = "smallbitvec"
-version = "2.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b0e903ee191d8f7a8fbf0d712c3a1699d19e04ceba5ad1eb673053c7d938a09"
-
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -2892,18 +2632,18 @@ checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d"

 [[package]]
 name = "thiserror"
-version = "2.0.18"
+version = "2.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
 dependencies = [
 "thiserror-impl",
 ]

 [[package]]
 name = "thiserror-impl"
-version = "2.0.18"
+version = "2.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2968,7 +2708,7 @@ dependencies = [
 "serde",
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
- "toml_edit 0.22.27",
+ "toml_edit",
 ]

 [[package]]
@@ -2977,13 +2717,13 @@ version = "0.9.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "00e5e5d9bf2475ac9d4f0d9edab68cc573dc2fd644b0dba36b0c30a92dd9eaa0"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "serde_core",
 "serde_spanned 1.0.2",
 "toml_datetime 0.7.2",
 "toml_parser",
 "toml_writer",
- "winnow 0.7.13",
+ "winnow",
 ]

 [[package]]
@@ -3004,48 +2744,27 @@ dependencies = [
 "serde_core",
 ]

-[[package]]
-name = "toml_datetime"
-version = "1.1.1+spec-1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7"
-dependencies = [
- "serde_core",
-]
-
 [[package]]
 name = "toml_edit"
 version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "serde",
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
 "toml_write",
- "winnow 0.7.13",
-]
-
-[[package]]
-name = "toml_edit"
-version = "0.25.11+spec-1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b59c4d22ed448339746c59b905d24568fcbb3ab65a500494f7b8c3e97739f2b"
-dependencies = [
- "indexmap 2.14.0",
- "toml_datetime 1.1.1+spec-1.1.0",
- "toml_parser",
- "winnow 1.0.2",
+ "winnow",
 ]

 [[package]]
 name = "toml_parser"
-version = "1.1.2+spec-1.1.0"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
+checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
 dependencies = [
- "winnow 1.0.2",
+ "winnow",
 ]

 [[package]]
@@ -3060,12 +2779,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d163a63c116ce562a22cda521fcc4d79152e7aba014456fb5eb442f6d6a10109"

-[[package]]
-name = "topological-sort"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea68304e134ecd095ac6c3574494fc62b909f416c4fca77e440530221e549d3d"
-
 [[package]]
 name = "tracing"
 version = "0.1.41"
@@ -3140,9 +2853,9 @@ dependencies = [

 [[package]]
 name = "tree-sitter"
-version = "0.26.8"
+version = "0.25.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538"
+checksum = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa"
 dependencies = [
 "cc",
 "regex",
@@ -3162,30 +2875,6 @@ dependencies = [
 "tree-sitter-language",
 ]

-[[package]]
-name = "tree-sitter-generate"
-version = "0.26.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3fb2e1bdb1d5f9d23cd5fa68cf98b3bedbd223c92a2edd60bbcf30bcf7180a5"
-dependencies = [
- "bitflags 2.9.4",
- "dunce",
- "indexmap 2.14.0",
- "indoc",
- "log 0.4.28",
- "pathdiff",
- "regex",
- "regex-syntax",
- "rquickjs",
- "rustc-hash 2.1.1",
- "semver",
- "serde",
- "serde_json",
- "smallbitvec",
- "thiserror",
- "topological-sort",
-]
-
 [[package]]
 name = "tree-sitter-json"
 version = "0.24.8"
@@ -3202,16 +2891,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"

-[[package]]
-name = "tree-sitter-python"
-version = "0.23.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04"
-dependencies = [
- "cc",
- "tree-sitter-language",
-]
-
 [[package]]
 name = "tree-sitter-ql"
 version = "0.23.1"
@@ -3232,15 +2911,6 @@ dependencies = [
 "tree-sitter-language",
 ]

-[[package]]
-name = "tree-sitter-swift"
-version = "0.7.2"
-dependencies = [
- "cc",
- "tree-sitter-generate",
- "tree-sitter-language",
-]
-
 [[package]]
 name = "triomphe"
 version = "0.1.14"
@@ -3290,12 +2960,6 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"

-[[package]]
-name = "unicode-segmentation"
-version = "1.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c"
-
 [[package]]
 name = "unicode-xid"
 version = "0.2.6"
@@ -3685,15 +3349,6 @@ dependencies = [
 "memchr",
 ]

-[[package]]
-name = "winnow"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0"
-dependencies = [
- "memchr",
-]
-
 [[package]]
 name = "wit-bindgen"
 version = "0.45.1"
@@ -3712,29 +3367,6 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"

-[[package]]
-name = "yeast"
-version = "0.1.0"
-dependencies = [
- "clap",
- "serde",
- "serde_json",
- "serde_yaml",
- "tree-sitter",
- "tree-sitter-python",
- "tree-sitter-ruby",
- "yeast-macros",
-]
-
-[[package]]
-name = "yeast-macros"
-version = "0.1.0"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "yoke"
 version = "0.8.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,11 +4,7 @@
 resolver = "2"
 members = [
    "shared/tree-sitter-extractor",
-    "shared/yeast",
-    "shared/yeast-macros",
    "ruby/extractor",
-    "unified/extractor",
-    "unified/extractor/tree-sitter-swift",
    "rust/extractor",
    "rust/extractor/macros",
    "rust/ast-generator",
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -102,7 +102,6 @@ use_repo(
    tree_sitter_extractors_deps,
    "vendor_ts__anyhow-1.0.100",
    "vendor_ts__argfile-0.2.1",
-    "vendor_ts__cc-1.2.61",
    "vendor_ts__chalk-ir-0.104.0",
    "vendor_ts__chrono-0.4.42",
    "vendor_ts__clap-4.5.48",
@@ -142,18 +141,14 @@ use_repo(
    "vendor_ts__serde-1.0.228",
    "vendor_ts__serde_json-1.0.145",
    "vendor_ts__serde_with-3.14.1",
-    "vendor_ts__serde_yaml-0.9.34-deprecated",
    "vendor_ts__syn-2.0.106",
    "vendor_ts__toml-0.9.7",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
    "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.26.8",
+    "vendor_ts__tree-sitter-0.25.9",
    "vendor_ts__tree-sitter-embedded-template-0.25.0",
-    "vendor_ts__tree-sitter-generate-0.26.8",
    "vendor_ts__tree-sitter-json-0.24.8",
-    "vendor_ts__tree-sitter-language-0.1.5",
-    "vendor_ts__tree-sitter-python-0.23.6",
    "vendor_ts__tree-sitter-ql-0.23.1",
    "vendor_ts__tree-sitter-ruby-0.23.1",
    "vendor_ts__triomphe-0.1.14",
--- a/actions/justfile
+++ b/actions/justfile
@@ -0,0 +1,7 @@
+import '../lib.just'
+
+[group('build')]
+build: (_build_dist "actions")
+
+[group('test')]
+language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')
--- a/actions/ql/examples/snippets/uses_pinned_sha.ql
+++ b/actions/ql/examples/snippets/uses_pinned_sha.ql
@@ -8,5 +8,5 @@
 import actions

 from UsesStep uses
-where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
 select uses, "This 'uses' step has a pinned SHA version."
--- a/actions/ql/integration-tests/justfile
+++ b/actions/ql/integration-tests/justfile
@@ -0,0 +1,4 @@
+import "../../../lib.just"
+
+[no-cd]
+test *ARGS=".": (_integration_test ARGS)
--- a/actions/ql/justfile
+++ b/actions/ql/justfile
@@ -0,0 +1,6 @@
+import "../../lib.just"
+
+[no-cd]
+format *ARGS=".": (_format_ql ARGS)
+
+consistency_queries := ""
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,19 +1,3 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
-
-## 0.4.35
-
-No user-facing changes.
-
-## 0.4.34
-
-### Minor Analysis Improvements
-
-* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
-
 ## 0.4.33

 No user-facing changes.
--- a/actions/ql/lib/change-notes/2026-05-12-improved-alphanumeric-regex.md
+++ b/actions/ql/lib/change-notes/2026-05-12-improved-alphanumeric-regex.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
--- a/actions/ql/lib/change-notes/released/0.4.34.md
+++ b/actions/ql/lib/change-notes/released/0.4.34.md
@@ -1,5 +0,0 @@
-## 0.4.34
-
-### Minor Analysis Improvements
-
-* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
--- a/actions/ql/lib/change-notes/released/0.4.35.md
+++ b/actions/ql/lib/change-notes/released/0.4.35.md
@@ -1,3 +0,0 @@
-## 0.4.35
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.36.md
+++ b/actions/ql/lib/change-notes/released/0.4.36.md
@@ -1,5 +0,0 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.36
+lastReleaseVersion: 0.4.33
--- a/actions/ql/lib/codeql/actions/Bash.qll
+++ b/actions/ql/lib/codeql/actions/Bash.qll
@@ -785,22 +785,7 @@ module Bash {

  /**
   * Holds if the given regex is used to match an alphanumeric string
-   * eg: `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
+   * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
   */
-  string alphaNumericRegex() {
-    exists(string r1, string r2, string r3, string r4 |
-      // An alphanumeric character class
-      r1 = "\\[([09azAZ_-]+)\\]" and
-      // The same as above, followed by a quantifier like `+` or `{20}`
-      r2 = r1 + "(\\+|\\{\\d+\\})" and
-      // The same as above, possibly with parentheses around it
-      r3 = "\\(?" + r2 + "\\)?" and
-      // The same as above, possibly with a `?` after it
-      r4 = r3 + "\\??"
-    |
-      // The same as above, repeated one or more times, and with `^` at the
-      // beginning and `$` at the end
-      result = "^\\^(" + r4 + ")+\\$$"
-    )
-  }
+  string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" }
 }
--- a/actions/ql/lib/ext/config/poisonable_steps.yml
+++ b/actions/ql/lib/ext/config/poisonable_steps.yml
@@ -70,7 +70,7 @@ extensions:
      - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2]
      - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2]
      - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2]
-      - ["(python[\\d\\.]*)\\s+-m\\s+([A-Za-z_][\\w\\.]*)\\b", 2] # eg: pythonX -m anything(dir or file)
      - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2]
-      - ["(go)\\s+(generate|run)(?:\\s+-[^\\s]+)*\\s+([^\\s]+)", 3]
+      - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3]
      - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2]
+
--- a/actions/ql/lib/ext/manual/docker_build-push-action.model.yml
+++ b/actions/ql/lib/ext/manual/docker_build-push-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: actionsSinkModel
+    data:
+      - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"]
--- a/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml
+++ b/actions/ql/lib/ext/manual/step-security_harden-runner.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: actionsSinkModel
+    data:
+      - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"]
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37-dev
+version: 0.4.34-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,31 +1,3 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
-
-## 0.6.27
-
-No user-facing changes.
-
-## 0.6.26
-
-### Major Analysis Improvements
-
-* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
-
 ## 0.6.25

 No user-facing changes.
--- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -1,5 +1,5 @@
 /**
- * @name Unpinned tag for a non-immutable Action in workflow or composite action
+ * @name Unpinned tag for a non-immutable Action in workflow
 * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
 * @kind problem
 * @security-severity 5.0
@@ -15,9 +15,7 @@ import actions
 import codeql.actions.security.UseOfUnversionedImmutableAction

 bindingset[version]
-private predicate isPinnedCommit(string version) {
-  version.regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
-}
+private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }

 bindingset[nwo]
 private predicate isTrustedOwner(string nwo) {
@@ -33,26 +31,15 @@ private predicate isPinnedContainer(string version) {
 bindingset[nwo]
 private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }

-private predicate getStepContainerName(UsesStep uses, string name) {
-  exists(Workflow workflow |
-    uses.getEnclosingWorkflow() = workflow and
-    (
-      workflow.getName() = name
-      or
-      not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
-    )
-  )
-  or
-  exists(CompositeAction action |
-    uses.getEnclosingCompositeAction() = action and
-    name = action.getLocation().getFile().getBaseName()
-  )
-}
-
-from UsesStep uses, string nwo, string version, string name
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
 where
  uses.getCallee() = nwo and
-  getStepContainerName(uses, name) and
+  uses.getEnclosingWorkflow() = workflow and
+  (
+    workflow.getName() = name
+    or
+    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
+  ) and
  uses.getVersion() = version and
  not isTrustedOwner(nwo) and
  not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
@@ -1,35 +1,6 @@
 ## Overview

-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
-
-## Workflow Security Model
-
-In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
-
-This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
-
-On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
-
-  * Runs in the context of the base repository
-  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
-  * Has a read/write `GITHUB_TOKEN` by default
-  * Can access private resources
-
-Certain triggers automatically grant a workflow elevated privileges:
-
-  * `pull_request_target` as described above
-  * `workflow_run`: Triggered when another workflow completes.
-  * `issue_comment`: Triggered when a comment is made on an issue or PR.
-
-## Attack Details
-
-  * A repository has a privileged workflow
-  * An attacker forks the repository and adds malicious code (e.g., in the build script)
-  * The attacker opens a PR from the fork, and, if needed, comments on the PR
-  * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
-
-Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.

 ## Recommendation

@@ -41,8 +12,6 @@ The best practice is to handle the potentially untrusted pull request via the **

 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.

-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example

 ### Incorrect Usage
@@ -164,6 +133,3 @@ jobs:
 ## References

 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
@@ -51,6 +51,5 @@ where
  event.getName() = checkoutTriggers() and
  not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
  not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
-select checkout, checkout, poisonable,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+select poisonable, checkout, poisonable,
+  "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName()
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
@@ -1,35 +1,6 @@
 ## Overview

-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
-
-## Workflow Security Model
-
-In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
-
-This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
-
-On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
-
-  * Runs in the context of the base repository
-  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
-  * Has a read/write `GITHUB_TOKEN` by default
-  * Can access private resources
-
-Certain triggers automatically grant a workflow elevated privileges:
-
-  * `pull_request_target` as described above
-  * `workflow_run`: Triggered when another workflow completes.
-  * `issue_comment`: Triggered when a comment is made on an issue or PR.
-
-## Attack Details
-
-  * A repository has a privileged workflow
-  * An attacker forks the repository and adds malicious code (e.g., in the build script)
-  * The attacker opens a PR from the fork, and, if needed, comments on the PR
-  * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
-
-Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.

 ## Recommendation

@@ -41,8 +12,6 @@ The best practice is to handle the potentially untrusted pull request via the **

 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.

-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example

 ### Incorrect Usage
@@ -164,6 +133,3 @@ jobs:
 ## References

 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a privileged context
+ * @name Checkout of untrusted code in trusted context
 * @description Privileged workflows have read/write access to the base repository and access to secrets.
 *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
 *              that is able to push to the base repository and to access secrets.
@@ -42,6 +42,5 @@ where
    not event.getName() = "issue_comment" and
    not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
  )
-select checkout,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
+  event.getName()
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
@@ -1,35 +1,6 @@
 ## Overview

-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
-
-## Workflow Security Model
-
-In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
-
-This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
-
-On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
-
-  * Runs in the context of the base repository
-  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
-  * Has a read/write `GITHUB_TOKEN` by default
-  * Can access private resources
-
-Certain triggers automatically grant a workflow elevated privileges:
-
-  * `pull_request_target` as described above
-  * `workflow_run`: Triggered when another workflow completes.
-  * `issue_comment`: Triggered when a comment is made on an issue or PR.
-
-## Attack Details
-
-  * A repository has a privileged workflow
-  * An attacker forks the repository and adds malicious code (e.g., in the build script)
-  * The attacker opens a PR from the fork, and, if needed, comments on the PR
-  * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
-
-Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.

 ## Recommendation

@@ -41,8 +12,6 @@ The best practice is to handle the potentially untrusted pull request via the **

 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.

-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example

 ### Incorrect Usage
@@ -164,6 +133,3 @@ jobs:
 ## References

 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a trusted context
+ * @name Checkout of untrusted code in trusted context
 * @description Privileged workflows have read/write access to the base repository and access to secrets.
 *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
 *              that is able to push to the base repository and to access secrets.
--- a/actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md
+++ b/actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also clarify the wording to make it clear that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Also change the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
--- a/actions/ql/src/change-notes/2026-04-02-permissions.md
+++ b/actions/ql/src/change-notes/2026-04-02-permissions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
--- a/actions/ql/src/change-notes/2026-05-05-untrusted-checkout-high.md
+++ b/actions/ql/src/change-notes/2026-05-05-untrusted-checkout-high.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
--- a/actions/ql/src/change-notes/2026-05-12-sha256-pinned-actions.md
+++ b/actions/ql/src/change-notes/2026-05-12-sha256-pinned-actions.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
--- a/actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md
+++ b/actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
--- a/actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md
+++ b/actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
--- a/actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md
+++ b/actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md
@@ -1,4 +0,0 @@
---
-category: queryMetadata
---
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
--- a/actions/ql/src/change-notes/released/0.6.26.md
+++ b/actions/ql/src/change-notes/released/0.6.26.md
@@ -1,9 +0,0 @@
-## 0.6.26
-
-### Major Analysis Improvements
-
-* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
--- a/actions/ql/src/change-notes/released/0.6.27.md
+++ b/actions/ql/src/change-notes/released/0.6.27.md
@@ -1,3 +0,0 @@
-## 0.6.27
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.28.md
+++ b/actions/ql/src/change-notes/released/0.6.28.md
@@ -1,13 +0,0 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.28
+lastReleaseVersion: 0.6.25
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29-dev
+version: 0.6.26-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/justfile
+++ b/actions/ql/test/justfile
@@ -0,0 +1,8 @@
+import "../justfile"
+
+base_flags := ""
+
+all_checks := default_db_checks
+
+[no-cd]
+test *ARGS=".": (_codeql_test "actions" base_flags all_checks ARGS)
--- a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml
@@ -1,6 +0,0 @@
-name: Composite unpinned tag test
-runs:
-  using: "composite"
-  steps:
-    - uses: foo/bar@v2
-    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
--- a/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml
+++ b/actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml
@@ -11,9 +11,3 @@ jobs:
    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
    - uses: docker://foo/bar@latest
    - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9
-    # SHA-256 pinned (64 hex chars) - should NOT be flagged
-    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb25b062c917b0c75f8b47d84d
-    # SHA-1 pinned (40 hex chars) regression - should NOT be flagged
-    - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
-    # Invalid 50-char hex string - should be flagged
-    - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5
--- a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
@@ -1,4 +1,3 @@
-| .github/actions/unpinned-tag/action.yml:5:13:5:22 | foo/bar@v2 | Unpinned 3rd party Action 'action.yml' step $@ uses 'foo/bar' with ref 'v2', not a pinned commit hash | .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step |
@@ -34,4 +33,3 @@
 | .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:12:13:12:35 | docker://foo/bar@latest | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'docker://foo/bar' with ref 'latest', not a pinned commit hash | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | Uses Step |
-| .github/workflows/unpinned_tags.yml:19:13:19:70 | foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5', not a pinned commit hash | .github/workflows/unpinned_tags.yml:19:7:19:71 | Uses Step | Uses Step |
--- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -8,7 +8,6 @@ edges
 | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
-| .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | .github/actions/unpinned-tag/action.yml:6:7:6:61 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
@@ -312,10 +311,7 @@ edges
 | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step |
 | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:15:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:13:7:15:4 | Uses Step | .github/workflows/unpinned_tags.yml:15:7:17:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:15:7:17:4 | Uses Step | .github/workflows/unpinned_tags.yml:17:7:19:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:17:7:19:4 | Uses Step | .github/workflows/unpinned_tags.yml:19:7:19:71 | Uses Step |
+| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:13:101 | Uses Step |
 | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
 | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |
@@ -338,42 +334,42 @@ edges
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
 #select
-| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
-| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
-| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
-| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
+| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
+| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
--- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected
@@ -1,23 +1,23 @@
-| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
-| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
+| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
--- a/cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/old.dbscheme
+++ b/cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/old.dbscheme
--- a/cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties
+++ b/cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties
@@ -1,6 +0,0 @@
-description: Support alias templates
-compatibility: full
-is_alias_template.rel: delete
-alias_instantiation.rel: delete
-alias_template_argument.rel: delete
-alias_template_argument_value.rel: delete
--- a/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme
+++ b/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme
--- a/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties
+++ b/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties
@@ -1,6 +0,0 @@
-description: Capture information about one template being generated from another
-compatibility: full
-class_template_generated_from.rel: delete
-function_template_generated_from.rel: delete
-variable_template_generated_from.rel: delete
-alias_template_generated_from.rel: delete
--- a/cpp/justfile
+++ b/cpp/justfile
@@ -0,0 +1,8 @@
+import '../lib.just'
+import? '../../cpp-coding-standards.just'
+
+[group('build')]
+build: (_build_dist "cpp")
+
+[group('test')]
+language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test' '../../semmlecode-cpp-tests')
--- a/cpp/ql/consistency-queries/badLocations.ql
+++ b/cpp/ql/consistency-queries/badLocations.ql
@@ -0,0 +1,9 @@
+import cpp
+
+// Locations should either be :0:0:0:0 locations (UnknownLocation, or
+// a whole file), or all 4 fields should be positive.
+from Location l
+where
+  [l.getStartLine(), l.getEndLine(), l.getStartColumn(), l.getEndColumn()] != 0 and
+  [l.getStartLine(), l.getEndLine(), l.getStartColumn(), l.getEndColumn()] < 1
+select l
--- a/cpp/ql/consistency-queries/nullInToString.ql
+++ b/cpp/ql/consistency-queries/nullInToString.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Element e
+where e.toString().matches("%(null)%")
+select e
--- a/cpp/ql/consistency-queries/qlpack.yml
+++ b/cpp/ql/consistency-queries/qlpack.yml
@@ -0,0 +1,5 @@
+name: codeql/cpp-consistency-queries
+groups: [cpp, test, consistency-queries]
+dependencies:
+  codeql/cpp-all: ${workspace}
+extractor: cpp
--- a/cpp/ql/consistency-queries/unusedLocations.ql
+++ b/cpp/ql/consistency-queries/unusedLocations.ql
@@ -0,0 +1,10 @@
+import cpp
+
+from Location l
+where
+  not any(Element e).getLocation() = l and
+  not any(LambdaCapture lc).getLocation() = l and
+  not any(MacroAccess ma).getActualLocation() = l and
+  not any(NamespaceDeclarationEntry nde).getBodyLocation() = l and
+  not any(XmlLocatable xml).getLocation() = l
+select l
--- a/cpp/ql/consistency-queries/variableDeclarationsWithoutTypes.ql
+++ b/cpp/ql/consistency-queries/variableDeclarationsWithoutTypes.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from VariableDeclarationEntry i
+where not exists(i.getType())
+select i
--- a/cpp/ql/consistency-queries/variablesWithoutTypes.ql
+++ b/cpp/ql/consistency-queries/variablesWithoutTypes.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable i
+where not exists(i.getType())
+select i
--- a/cpp/ql/integration-tests/justfile
+++ b/cpp/ql/integration-tests/justfile
@@ -0,0 +1,4 @@
+import "../../../lib.just"
+
+[no-cd]
+test *ARGS=".": (_integration_test ARGS)
--- a/cpp/ql/justfile
+++ b/cpp/ql/justfile
@@ -0,0 +1,6 @@
+import "../../lib.just"
+
+[no-cd]
+format *ARGS=".": (_format_ql ARGS)
+
+consistency_queries := source_dir() / "consistency-queries"
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,31 +1,3 @@
-## 10.1.1
-
-### Minor Analysis Improvements
-
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
-
-## 10.1.0
-
-### New Features
-
-* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
-
-### Minor Analysis Improvements
-
-* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
-
-## 10.0.0
-
-### Breaking Changes
-
-* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
-* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
-
-### New Features
-
-* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
-
 ## 9.0.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/2026-04-07-autoconf.md
+++ b/cpp/ql/lib/change-notes/2026-04-07-autoconf.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
--- a/cpp/ql/lib/change-notes/2026-04-14-throwing.md
+++ b/cpp/ql/lib/change-notes/2026-04-14-throwing.md
@@ -0,0 +1,5 @@
+---
+category: breaking
+---
+* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
+* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
--- a/cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md
+++ b/cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-* Added flow source models for `scanf_s` and related functions.
-* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
--- a/cpp/ql/lib/change-notes/2026-05-16-alias-template.md
+++ b/cpp/ql/lib/change-notes/2026-05-16-alias-template.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
--- a/cpp/ql/lib/change-notes/2026-05-18-alias-type.md
+++ b/cpp/ql/lib/change-notes/2026-05-18-alias-type.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
--- a/cpp/ql/lib/change-notes/2026-05-21-generated-from.md
+++ b/cpp/ql/lib/change-notes/2026-05-21-generated-from.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
--- a/cpp/ql/lib/change-notes/released/10.0.0.md
+++ b/cpp/ql/lib/change-notes/released/10.0.0.md
@@ -1,10 +0,0 @@
-## 10.0.0
-
-### Breaking Changes
-
-* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
-* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
-
-### New Features
-
-* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
--- a/cpp/ql/lib/change-notes/released/10.1.0.md
+++ b/cpp/ql/lib/change-notes/released/10.1.0.md
@@ -1,10 +0,0 @@
-## 10.1.0
-
-### New Features
-
-* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
-
-### Minor Analysis Improvements
-
-* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
--- a/cpp/ql/lib/change-notes/released/10.1.1.md
+++ b/cpp/ql/lib/change-notes/released/10.1.1.md
@@ -1,5 +0,0 @@
-## 10.1.1
-
-### Minor Analysis Improvements
-
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.1.1
+lastReleaseVersion: 9.0.0
--- a/cpp/ql/lib/ext/Strsafe.model.yml
+++ b/cpp/ql/lib/ext/Strsafe.model.yml
@@ -1,94 +0,0 @@
-# Models for strsafe.h safe string functions
-extensions:
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: sourceModel
-    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
-      # StringCchGets: (pszDest, cchDest)
-      - ["", "", False, "StringCchGetsA", "", "", "Argument[*0]", "local", "manual"]
-      - ["", "", False, "StringCchGetsW", "", "", "Argument[*0]", "local", "manual"]
-      # StringCbGets: (pszDest, cbDest)
-      - ["", "", False, "StringCbGetsA", "", "", "Argument[*0]", "local", "manual"]
-      - ["", "", False, "StringCbGetsW", "", "", "Argument[*0]", "local", "manual"]
-      # StringCchGetsEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags)
-      - ["", "", False, "StringCchGetsExA", "", "", "Argument[*0]", "local", "manual"]
-      - ["", "", False, "StringCchGetsExW", "", "", "Argument[*0]", "local", "manual"]
-      # StringCbGetsEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags)
-      - ["", "", False, "StringCbGetsExA", "", "", "Argument[*0]", "local", "manual"]
-      - ["", "", False, "StringCbGetsExW", "", "", "Argument[*0]", "local", "manual"]
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: summaryModel
-    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
-      # StringCchCopy: (pszDest, cchDest, pszSrc)
-      - ["", "", False, "StringCchCopyA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCopyW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCopy: (pszDest, cbDest, pszSrc)
-      - ["", "", False, "StringCbCopyA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCopyW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCopyEx: (pszDest, cchDest, pszSrc, ppszDestEnd, pcchRemaining, dwFlags)
-      - ["", "", False, "StringCchCopyExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCopyExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCopyEx: (pszDest, cbDest, pszSrc, ppszDestEnd, pcbRemaining, dwFlags)
-      - ["", "", False, "StringCbCopyExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCopyExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCopyN: (pszDest, cchDest, pszSrc, cchToCopy)
-      - ["", "", False, "StringCchCopyNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCopyNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCopyN: (pszDest, cbDest, pszSrc, cbToCopy)
-      - ["", "", False, "StringCbCopyNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCopyNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCopyNEx: (pszDest, cchDest, pszSrc, cchToCopy, ppszDestEnd, pcchRemaining, dwFlags)
-      - ["", "", False, "StringCchCopyNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCopyNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCopyNEx: (pszDest, cbDest, pszSrc, cbToCopy, ppszDestEnd, pcbRemaining, dwFlags)
-      - ["", "", False, "StringCbCopyNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCopyNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCat: (pszDest, cchDest, pszSrc)
-      - ["", "", False, "StringCchCatA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCatW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCat: (pszDest, cbDest, pszSrc)
-      - ["", "", False, "StringCbCatA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCatW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCatEx: (pszDest, cchDest, pszSrc, ppszDestEnd, pcchRemaining, dwFlags)
-      - ["", "", False, "StringCchCatExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCatExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCatEx: (pszDest, cbDest, pszSrc, ppszDestEnd, pcbRemaining, dwFlags)
-      - ["", "", False, "StringCbCatExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCatExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCatN: (pszDest, cchDest, pszSrc, cchToAppend)
-      - ["", "", False, "StringCchCatNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCatNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCatN: (pszDest, cbDest, pszSrc, cbToAppend)
-      - ["", "", False, "StringCbCatNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCatNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchCatNEx: (pszDest, cchDest, pszSrc, cchToAppend, ppszDestEnd, pcchRemaining, dwFlags)
-      - ["", "", False, "StringCchCatNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchCatNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbCatNEx: (pszDest, cbDest, pszSrc, cbToAppend, ppszDestEnd, pcbRemaining, dwFlags)
-      - ["", "", False, "StringCbCatNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbCatNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchPrintf: (pszDest, cchDest, pszFormat, ...)
-      - ["", "", False, "StringCchPrintfA", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchPrintfW", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
-      # StringCbPrintf: (pszDest, cbDest, pszFormat, ...)
-      - ["", "", False, "StringCbPrintfA", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbPrintfW", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
-      # StringCchPrintfEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, ...)
-      - ["", "", False, "StringCchPrintfExA", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchPrintfExW", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
-      # StringCbPrintfEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, ...)
-      - ["", "", False, "StringCbPrintfExA", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbPrintfExW", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
-      # StringCchVPrintf: (pszDest, cchDest, pszFormat, argList)
-      - ["", "", False, "StringCchVPrintfA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchVPrintfW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCbVPrintf: (pszDest, cbDest, pszFormat, argList)
-      - ["", "", False, "StringCbVPrintfA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbVPrintfW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
-      # StringCchVPrintfEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, argList)
-      - ["", "", False, "StringCchVPrintfExA", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCchVPrintfExW", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
-      # StringCbVPrintfEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, argList)
-      - ["", "", False, "StringCbVPrintfExA", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
-      - ["", "", False, "StringCbVPrintfExW", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
--- a/cpp/ql/lib/ext/allocation/Std.allocation.model.yml
+++ b/cpp/ql/lib/ext/allocation/Std.allocation.model.yml
@@ -12,7 +12,4 @@ extensions:
      - ["", "", False, "_malloca", "0", "", "", False]
      - ["", "", False, "calloc", "1", "0", "", True]
      - ["std", "", False, "calloc", "1", "0", "", True]
-      - ["bsl", "", False, "calloc", "1", "0", "", True]
-      - ["", "", False, "aligned_alloc", "1", "", "", True]
-      - ["std", "", False, "aligned_alloc", "1", "", "", True]
-      - ["bsl", "", False, "aligned_alloc", "1", "", "", True]
+      - ["bsl", "", False, "calloc", "1", "0", "", True]
--- a/cpp/ql/lib/ext/generated/modelgenerator/brotli/brotli.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/brotli/brotli.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/curl/curl.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/curl/curl.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/glibc/glibc.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/glibc/glibc.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/libidn2/libidn2.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/libidn2/libidn2.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/libssh2/libssh2.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/libssh2/libssh2.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/libuv/libuv.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/libuv/libuv.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/nghttp2/nghttp2.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/nghttp2/nghttp2.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/openssl/openssl.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/openssl/openssl.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/sqlite/sqlite.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/sqlite/sqlite.model.yml
--- a/cpp/ql/lib/ext/generated/modelgenerator/zlib/zlib.model.yml
+++ b/cpp/ql/lib/ext/generated/modelgenerator/zlib/zlib.model.yml
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.1.2-dev
+version: 9.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Class.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Class.qll
@@ -856,10 +856,8 @@ class AbstractClass extends Class {

 /**
 * A class template (this class also finds partial specializations
- * of class templates).
- *
- * For example in the following code there is a `MyTemplateClass<T>`
- * template:
+ * of class templates).  For example in the following code there is a
+ * `MyTemplateClass<T>` template:
 * ```
 * template<class T>
 * class MyTemplateClass {
@@ -895,29 +893,6 @@ class TemplateClass extends Class {
  }

  override string getAPrimaryQlClass() { result = "TemplateClass" }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::C<S>`
-   * in the following code, the result is `MyTemplateClass<T>::C<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   class C {
-   *     ...
-   *   };
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateClass getOriginalTemplate() {
-    class_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/Declaration.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Declaration.qll
@@ -278,8 +278,6 @@ class Declaration extends Locatable, @declaration {
    or
    variable_template_argument(underlyingElement(this), index, unresolveElement(result))
    or
-    alias_template_argument(underlyingElement(this), index, unresolveElement(result))
-    or
    template_template_argument(underlyingElement(this), index, unresolveElement(result))
    or
    concept_template_argument(underlyingElement(this), index, unresolveElement(result))
@@ -292,8 +290,6 @@ class Declaration extends Locatable, @declaration {
    or
    variable_template_argument_value(underlyingElement(this), index, unresolveElement(result))
    or
-    alias_template_argument_value(underlyingElement(this), index, unresolveElement(result))
-    or
    template_template_argument_value(underlyingElement(this), index, unresolveElement(result))
    or
    concept_template_argument_value(underlyingElement(this), index, unresolveElement(result))
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -278,15 +278,6 @@ private predicate isFromTemplateInstantiationRec(Element e, Element instantiatio
  instantiation.(Variable).isConstructedFrom(_) and
  e = instantiation
  or
-  instantiation.(TypeAliasType).isConstructedFrom(_) and
-  e = instantiation
-  or
-  instantiation.(TemplateTemplateParameterInstantiation).isConstructedFrom(_) and
-  e = instantiation
-  or
-  exists(instantiation.(ConceptIdExpr).getConcept()) and
-  e = instantiation
-  or
  isFromTemplateInstantiationRec(e.getEnclosingElement(), instantiation)
 }

@@ -300,15 +291,6 @@ private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
  is_variable_template(unresolveElement(template)) and
  e = template
  or
-  is_alias_template(unresolveElement(template)) and
-  e = template
-  or
-  usertypes(unresolveElement(template), _, 8) and // template template parameter
-  e = template
-  or
-  template instanceof @concept_template and
-  e = template
-  or
  isFromUninstantiatedTemplateRec(e.getEnclosingElement(), template)
 }

--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -828,27 +828,6 @@ class TemplateFunction extends Function {
   * such things -- see FunctionTemplateSpecialization for further details.
   */
  FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::f<S>`
-   * in the following code, the result is `MyTemplateClass<T>::f<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   S f();
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateFunction getOriginalTemplate() {
-    function_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/TypedefType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/TypedefType.qll
@@ -64,123 +64,23 @@ class CTypedefType extends TypedefType {
 }

 /**
- * DEPRECATED: Use `TypeAlias` instead.
- *
- * A C++ type alias or alias template.
- *
- * For example the type declared in the following code:
+ * A using alias C++ typedef type.  For example the type declared in the following code:
 * ```
 * using my_int2 = int;
 * ```
 */
-deprecated class UsingAliasTypedefType = TypeAliasType;
+class UsingAliasTypedefType extends TypedefType {
+  UsingAliasTypedefType() { usertype_alias_kind(underlyingElement(this), 1) }

-/**
- * A C++ type alias or alias template.
- *
- * For example the type declared in the following code:
- * ```
- * using my_int2 = int;
- * ```
- */
-class TypeAliasType extends TypedefType {
-  TypeAliasType() { usertype_alias_kind(underlyingElement(this), 1) }
-
-  override string getAPrimaryQlClass() { result = "TypeAliasType" }
+  override string getAPrimaryQlClass() { result = "UsingAliasTypedefType" }

  override string explain() {
    result = "using {" + this.getBaseType().explain() + "} as \"" + this.getName() + "\""
  }
-
-  /**
-   * Holds if this alias is constructed from another alias as a result of
-   * template instantiation.
-   */
-  predicate isConstructedFrom(TypeAliasType t) {
-    alias_instantiation(underlyingElement(this), unresolveElement(t))
-  }
 }

 /**
- * A C++ alias template.
- *
- * For example the type declared in the following code:
- * ```
- * template <typename T>
- * using my_type = T;
- * ```
- */
-class AliasTemplateType extends TypeAliasType {
-  AliasTemplateType() { is_alias_template(underlyingElement(this)) }
-
-  override string getAPrimaryQlClass() { result = "AliasTemplateType" }
-
-  /**
-   * Gets an alias instantiated from this template.
-   *
-   * For example for `MyAliasTemplate<T>` in the following code, the results are
-   * `MyAliasTemplate<int>` and `MyAliasTemplate<long>`:
-   * ```
-   * template<typename T>
-   * using MyAliasTemplate = ...;
-   *
-   * MyAliasTemplate<int> instance1;
-   *
-   * MyAliasTemplate<long> instance2;
-   * ```
-   */
-  TypeAliasType getAnInstantiation() { result.isConstructedFrom(this) }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::t<S>`
-   * in the following code, the result is `MyTemplateClass<T>::t<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   using t = S;
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  AliasTemplateType getOriginalTemplate() {
-    alias_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
-}
-
-/**
- * A C++ alias template instantiation.
- *
- * For example the `my_int_type` type declared in the following code:
- * ```
- * template <typename T>
- * using my_type = T;
- *
- * using my_int_type = my_type<int>;
- * ```
- */
-class AliasTemplateInstantiationType extends TypeAliasType {
-  AliasTemplateType at;
-
-  AliasTemplateInstantiationType() { at.getAnInstantiation() = this }
-
-  override string getAPrimaryQlClass() { result = "AliasTemplateInstantiationType" }
-
-  /**
-   * Gets the alias template from which this instantiation was instantiated.
-   */
-  AliasTemplateType getTemplate() { result = at }
-}
-
-/**
- * A C++ `typedef` type that is directly enclosed by a function.
- *
- * For example the type declared inside the function `foo` in
+ * A C++ `typedef` type that is directly enclosed by a function.  For example the type declared inside the function `foo` in
 * the following code:
 * ```
 * int foo(void) { typedef int local; }
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -614,27 +614,6 @@ class TemplateVariable extends Variable {
    result.isConstructedFrom(this) and
    not result.isSpecialization()
  }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::x<S>`
-   * in the following code, the result is `MyTemplateClass<T>::x<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   static S x;
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateVariable getOriginalTemplate() {
-    variable_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
@@ -25,15 +25,6 @@ abstract class ScanfFunction extends Function {
   * (rather than a `char*`).
   */
  predicate isWideCharDefault() { exists(this.getName().indexOf("wscanf")) }
-
-  /** Holds if this is one of the `scanf_s` variants. */
-  predicate isSVariant() {
-    exists(string name | name = this.getName() |
-      name.matches("%\\_s")
-      or
-      name.matches("%\\_s\\_l")
-    )
-  }
 }

 /**
@@ -43,12 +34,8 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
  Scanf() {
    this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
    this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
-    this.hasGlobalOrStdOrBslName("scanf_s") or // scanf_s(format, args...)
-    this.hasGlobalOrStdOrBslName("wscanf_s") or // wscanf_s(format, args...)
    this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_l") or // _wscanf_l(format, locale, args...)
-    this.hasGlobalName("_scanf_s_l") or // _scanf_s_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_s_l") // _wscanf_s_l(format, locale, args...)
+    this.hasGlobalName("_wscanf_l")
  }

  override int getInputParameterIndex() { none() }
@@ -63,12 +50,8 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
  Fscanf() {
    this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
    this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fscanf_s") or // fscanf_s(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fwscanf_s") or // fwscanf_s(src_stream, format, args...)
    this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_l") or // _fwscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fscanf_s_l") or // _fscanf_s_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_s_l") // _fwscanf_s_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fwscanf_l")
  }

  override int getInputParameterIndex() { result = 0 }
@@ -83,12 +66,8 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
  Sscanf() {
    this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
    this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
-    this.hasGlobalOrStdOrBslName("sscanf_s") or // sscanf_s(src, format, args...)
-    this.hasGlobalOrStdOrBslName("swscanf_s") or // swscanf_s(src, format, args...)
    this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l") or // _swscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_sscanf_s_l") or // _sscanf_s_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_s_l") // _swscanf_s_l(src, format, locale, args...)
+    this.hasGlobalName("_swscanf_l")
  }

  override int getInputParameterIndex() { result = 0 }
@@ -118,14 +97,6 @@ class Snscanf extends ScanfFunction instanceof TopLevelFunction {
  int getInputLengthParameterIndex() { result = 1 }
 }

-private predicate isCharLike(Type t) { t instanceof CharType or t instanceof Wchar_t }
-
-private predicate isStringLike(Type t) {
-  isCharLike(t.(PointerType).getBaseType())
-  or
-  isCharLike(t.(ArrayType).getBaseType())
-}
-
 /**
 * A call to one of the `scanf` functions.
 */
@@ -159,40 +130,14 @@ class ScanfFunctionCall extends FunctionCall {
   */
  predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }

-  bindingset[this, k]
-  pragma[inline_late]
-  private predicate isSizeArgument(int k) {
-    // The first vararg is never the size argument since a size argument must
-    // always follow a string buffer argument.
-    k > 0 and
-    isStringLike(this.getArgument(this.getScanfFunction().getNumberOfParameters() + k - 1)
-          .getUnspecifiedType())
-  }
-
  /**
   * Gets the output argument at position `n` in the vararg list of this call.
   *
   * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
   */
  Expr getOutputArgument(int n) {
-    exists(ScanfFunction target | target = this.getScanfFunction() |
-      // If this is an S variant then every string buffer argument has a
-      // corresponding size argument immediately following it, so we need to
-      // skip over those size arguments when counting the output arguments.
-      if target.isSVariant()
-      then
-        result =
-          rank[n + 1](Expr arg, int k |
-            k >= 0 and
-            arg = this.getArgument(target.getNumberOfParameters() + k) and
-            not this.isSizeArgument(k)
-          |
-            arg order by k
-          )
-      else (
-        n >= 0 and result = this.getArgument(target.getNumberOfParameters() + n)
-      )
-    )
+    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
+    n >= 0
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll
+++ b/cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll
@@ -18,7 +18,7 @@ class Namespace extends @namespace {
    if namespacembrs(_, this)
    then
      exists(Namespace ns |
-        namespacembrs(ns, pragma[only_bind_out](this)) and
+        namespacembrs(ns, this) and
        result = ns.getQualifiedName() + "::" + this.getName()
      )
    else result = this.getName()
@@ -37,7 +37,7 @@ class Namespace extends @namespace {
  string getAQualifierForMembers() {
    if namespacembrs(_, this)
    then
-      exists(Namespace ns | namespacembrs(ns, pragma[only_bind_out](this)) |
+      exists(Namespace ns | namespacembrs(ns, this) |
        result = ns.getAQualifierForMembers() + "::" + this.getName()
        or
        // If this is an inline namespace, its members are also visible in any
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
@@ -136,9 +136,7 @@ private module SourceVariables {
    NormalSourceVariable() { this = TNormalSourceVariable(base, ind) }

    final override string toString() {
-      if this.getIndirection() = 0
-      then result = "&" + base.toString()
-      else result = repeatStars(this.getIndirection() - 1) + base.toString()
+      result = repeatStars(this.getIndirection()) + base.toString()
    }
  }

@@ -159,9 +157,7 @@ private module SourceVariables {
    }

    final override string toString() {
-      if this.getIndirection() = 0
-      then result = "&" + base.toString() + " [before crement]"
-      else result = repeatStars(this.getIndirection() - 1) + base.toString() + " [before crement]"
+      result = repeatStars(this.getIndirection()) + base.toString() + " [before crement]"
    }

    /**
@@ -1357,52 +1353,6 @@ class PhiNode extends Definition instanceof SsaImpl::PhiNode {
  final predicate hasInputFromBlock(Definition input, IRBlock bb) {
    phiHasInputFromBlock(this, input, bb)
  }
-
-  override int getIndirection() { result = this.getSourceVariable().getIndirection() }
-
-  override predicate isCertain() {
-    // If this phi node is part of a phi cycle of phi nodes the least
-    // fixed-point semantics of datalog means we don't get the right answer.
-    // So we perform an SCC reduction to simulate greatest fixed-point semantics.
-    getCycle(this).isCertain()
-    or
-    // If there is no cycle we get the right semantics through traditional
-    // recursion.
-    not exists(getCycle(this)) and
-    forex(Definition inp | inp = this.getAnInput() | inp.isCertain())
-  }
-
-  final override Declaration getFunction() {
-    result = SsaImpl::PhiNode.super.getBasicBlock().getEnclosingFunction()
-  }
-}
-
-private PhiNode getAnInput(PhiNode phi) { result = phi.getAnInput() }
-
-private predicate sccEdge(PhiNode phi1, PhiNode phi2) {
-  getAnInput(phi1) = phi2 and getAnInput+(phi2) = phi1
-}
-
-private module PhiCycleEquivalence = QlBuiltins::EquivalenceRelation<PhiNode, sccEdge/2>;
-
-private PhiCycle getCycle(PhiNode phi) { result.getAPhiNode() = phi }
-
-private class PhiCycle extends PhiCycleEquivalence::EquivalenceClass {
-  PhiNode getAPhiNode() { PhiCycleEquivalence::getEquivalenceClass(result) = this }
-
-  predicate hasPhiNode(PhiNode phi) { this.getAPhiNode() = phi }
-
-  pragma[nomagic]
-  Definition getAnInput() {
-    result = this.getAPhiNode().getAnInput() and not this.hasPhiNode(result)
-  }
-
-  string toString() { result = strictconcat(this.getAPhiNode().toString(), ", ") }
-
-  predicate isCertain() {
-    // A phi cycle is certain if all of the inputs into the phi cycle is certain.
-    forex(Definition inp | inp = this.getAnInput() | inp.isCertain())
-  }
 }

 /** An static single assignment (SSA) definition. */
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll
@@ -147,7 +147,7 @@ abstract class Indirection extends Type {
   *
   * `certain` is `true` if this write is guaranteed to write to the address.
   */
-  predicate isAdditionalWrite(Node0Impl value, Operand address, Certainty certain) { none() }
+  predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) { none() }

  /**
   * Gets the base type of this indirection, after specifiers have been deeply
@@ -198,11 +198,11 @@ private module IteratorIndirections {
      baseType = super.getValueType()
    }

-    override predicate isAdditionalWrite(Node0Impl value, Operand address, Certainty certain) {
+    override predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) {
      exists(CallInstruction call | call.getArgumentOperand(0) = value.asOperand() |
        this = call.getStaticCallTarget().(Function).getClassAndName("operator=") and
        address = call.getThisArgumentOperand() and
-        certain instanceof AlwaysUncertain
+        certain = false
      )
    }

@@ -271,62 +271,30 @@ predicate isDereference(Instruction deref, Operand address, boolean additional)
  additional = false
 }

-private newtype TCertainty =
-  TCertainWhenAddressIsCertain() or
-  TAlwaysCertain() or
-  TAlwaysUncertain()
-
-abstract private class Certainty extends TCertainty {
-  abstract predicate isCertain(boolean addressIsCertain);
-
-  abstract string toString();
-}
-
-private class CertainWhenAddressIsCertain extends Certainty, TCertainWhenAddressIsCertain {
-  override predicate isCertain(boolean addressIsCertain) { addressIsCertain = true }
-
-  override string toString() { result = "CertainWhenAddressIsCertain" }
-}
-
-private class AlwaysCertain extends Certainty, TAlwaysCertain {
-  override predicate isCertain(boolean addressIsCertain) {
-    addressIsCertain = true or addressIsCertain = false
-  }
-
-  override string toString() { result = "AlwaysCertain" }
-}
-
-private class AlwaysUncertain extends Certainty, TAlwaysUncertain {
-  override predicate isCertain(boolean addressIsCertain) { none() }
-
-  override string toString() { result = "AlwaysUncertain" }
-}
-
-predicate isWrite(Node0Impl value, Operand address, Certainty certain) {
+predicate isWrite(Node0Impl value, Operand address, boolean certain) {
  any(Indirection ind).isAdditionalWrite(value, address, certain)
  or
-  exists(StoreInstruction store |
-    value.asInstruction() = store and
-    address = store.getDestinationAddressOperand() and
-    certain instanceof CertainWhenAddressIsCertain
-  )
-  or
-  exists(InitializeParameterInstruction init |
-    value.asInstruction() = init and
-    address = init.getAnOperand() and
-    certain instanceof AlwaysCertain
-  )
-  or
-  exists(InitializeDynamicAllocationInstruction init |
-    value.asInstruction() = init and
-    address = init.getAllocationAddressOperand() and
-    certain instanceof AlwaysCertain
-  )
-  or
-  exists(UninitializedInstruction uninitialized |
-    value.asInstruction() = uninitialized and
-    address = uninitialized.getAnOperand() and
-    certain instanceof AlwaysCertain
+  certain = true and
+  (
+    exists(StoreInstruction store |
+      value.asInstruction() = store and
+      address = store.getDestinationAddressOperand()
+    )
+    or
+    exists(InitializeParameterInstruction init |
+      value.asInstruction() = init and
+      address = init.getAnOperand()
+    )
+    or
+    exists(InitializeDynamicAllocationInstruction init |
+      value.asInstruction() = init and
+      address = init.getAllocationAddressOperand()
+    )
+    or
+    exists(UninitializedInstruction uninitialized |
+      value.asInstruction() = uninitialized and
+      address = uninitialized.getAnOperand()
+    )
  )
 }

@@ -750,18 +718,16 @@ private module Cached {
    int indirectionIndex
  ) {
    exists(
-      Certainty writeIsCertain, boolean addressIsCertain, int ind0, CppType type, int lower,
-      int upper
+      boolean writeIsCertain, boolean addressIsCertain, int ind0, CppType type, int lower, int upper
    |
      isWrite(value, address, writeIsCertain) and
      isDefImpl(address, base, ind0, addressIsCertain) and
+      certain = writeIsCertain.booleanAnd(addressIsCertain) and
      type = getLanguageType(address) and
      upper = countIndirectionsForCppType(type) and
      ind = ind0 + [lower .. upper] and
      indirectionIndex = ind - (ind0 + lower) and
      lower = getMinIndirectionsForType(any(Type t | type.hasUnspecifiedType(t, _)))
-    |
-      if writeIsCertain.isCertain(addressIsCertain) then certain = true else certain = false
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedAssertion.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedAssertion.qll
@@ -114,7 +114,6 @@ private predicate parseArgument(string arg, string s, int i, Opcode opcode) {

 private Element getAChildScope(Element scope) { result.getParentScope() = scope }

-pragma[nomagic]
 private predicate hasAVariable(MacroInvocation mi, Stmt s, Element scope) {
  assertion0(mi, s, _) and
  s.getParent() = scope
@@ -122,32 +121,15 @@ private predicate hasAVariable(MacroInvocation mi, Stmt s, Element scope) {
  hasAVariable(mi, s, getAChildScope(scope))
 }

-private predicate hasParentScope(Variable v, Element scope) { v.getParentScope() = scope }
-
-pragma[nomagic]
-private predicate hasAssertionOperand(MacroInvocation mi, int i, Stmt s, string operand) {
-  exists(string arg |
-    assertion0(mi, s, arg) and
-    parseArgument(arg, operand, i, _)
-  )
-}
-
-pragma[nomagic]
-private predicate hasNameAndParentScope(string name, Element scope, Variable v) {
-  v.hasName(name) and
-  hasParentScope(v, scope)
-}
-
-pragma[nomagic]
 private LocalScopeVariable getVariable(MacroInvocation mi, int i) {
-  exists(string name, Stmt s |
-    hasAssertionOperand(mi, i, s, name) and
+  exists(string operand, string arg, Stmt s |
+    assertion0(mi, s, arg) and
+    parseArgument(arg, operand, i, _) and
    result =
-      unique(Variable v, Element parentScope |
-        hasAssertionOperand(mi, _, s, name) and
+      unique(Variable v |
        v.getLocation().getStartLine() < s.getLocation().getStartLine() and
-        hasAVariable(mi, s, parentScope) and
-        hasNameAndParentScope(name, parentScope, v)
+        hasAVariable(mi, s, v.getParentScope()) and
+        v.hasName(operand)
      |
        v
      )
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
@@ -11,9 +11,7 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFu
  Fopen() {
    this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
    or
-    this.hasGlobalName([
-        "_open", "_wfopen", "_fsopen", "_wfsopen", "_wopen", "_sopen_s", "_wsopen_s"
-      ])
+    this.hasGlobalName(["_open", "_wfopen", "_fsopen", "_wfsopen", "_wopen"])
  }

  override predicate hasOnlySpecificWriteSideEffects() { any() }
@@ -48,10 +46,6 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFu
    this.hasGlobalName(["_open", "_wopen"]) and
    i = 0 and
    buffer = true
-    or
-    this.hasGlobalName(["_sopen_s", "_wsopen_s"]) and
-    i = 1 and
-    buffer = true
  }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -70,9 +64,5 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFu
    this.hasGlobalName(["_open", "_wopen"]) and
    input.isParameterDeref(0) and
    output.isReturnValue()
-    or
-    this.hasGlobalName(["_sopen_s", "_wsopen_s"]) and
-    input.isParameterDeref(1) and
-    output.isParameterDeref(0)
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
@@ -30,10 +30,7 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
    (
      if exists(this.getLengthParameterIndex())
      then result = this.getLengthParameterIndex() + 2
-      else
-        if exists(this.(ScanfFunction).getInputParameterIndex())
-        then result = 2
-        else result = 1
+      else result = 2
    )
  }

@@ -72,24 +69,13 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
  }
 }

-private predicate hasFlowSource(
-  ScanfFunction func, ScanfFunctionCall call, FunctionOutput output, string description
-) {
-  exists(int n, Expr arg |
-    call.getScanfFunction() = func and
-    call.getOutputArgument(_) = arg and
-    call.getArgument(n) = arg and
-    output.isParameterDeref(n) and
-    description = "value read by " + func.getName()
-  )
-}
-
 /**
 * The standard function `scanf` and its assorted variants
 */
 private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
-    hasFlowSource(this, call, output, description)
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
  }
 }

@@ -97,12 +83,9 @@ private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction ins
 * The standard function `fscanf` and its assorted variants
 */
 private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
-    hasFlowSource(this, call, output, description)
-  }
-
-  override predicate hasSocketInput(FunctionInput input) {
-    input.isParameterDeref(super.getInputParameterIndex())
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
  }
 }

--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -18,17 +18,7 @@ abstract class RemoteFlowSourceFunction extends Function {
  /**
   * Holds if remote data described by `description` flows from `output` of a call to this function.
   */
-  predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    this.hasRemoteFlowSource(_, output, description)
-  }
-
-  /**
-   * Holds if remote data described by `description` flows from `output` of `call` to this function.
-   */
-  predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
-    call.getTarget() = this and
-    this.hasRemoteFlowSource(output, description)
-  }
+  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);

  /**
   * Holds if remote data from this source comes from a socket or stream
@@ -45,17 +35,7 @@ abstract class LocalFlowSourceFunction extends Function {
  /**
   * Holds if data described by `description` flows from `output` of a call to this function.
   */
-  predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    this.hasLocalFlowSource(_, output, description)
-  }
-
-  /**
-   * Holds if data described by `description` flows from `output` of `call` to this function.
-   */
-  predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
-    call.getTarget() = this and
-    this.hasLocalFlowSource(output, description)
-  }
+  abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
 }

 /** A library function that sends data over a network connection. */
--- a/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
@@ -28,7 +28,8 @@ private class RemoteModelSource extends RemoteFlowSource {

  RemoteModelSource() {
    exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
-      func.hasRemoteFlowSource(call.getConvertedResultExpression(), output, sourceType) and
+      call.getStaticCallTarget() = func and
+      func.hasRemoteFlowSource(output, sourceType) and
      this = callOutput(call, output)
    )
  }
@@ -45,7 +46,7 @@ private class LocalModelSource extends LocalFlowSource {
  LocalModelSource() {
    exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
      call.getStaticCallTarget() = func and
-      func.hasLocalFlowSource(call.getConvertedResultExpression(), output, sourceType) and
+      func.hasLocalFlowSource(output, sourceType) and
      this = callOutput(call, output)
    )
  }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Paolo Tranquilli	b31be52911	Merge remote-tracking branch 'origin/main' into redsun82/just2	2026-04-15 09:12:25 +02:00
Paolo Tranquilli	97e18629e0	Just: run Swift extra-tests sequentially The parallel attribute causes concurrent sembuild calls that conflict with each other. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-15 09:10:50 +02:00
Paolo Tranquilli	95cb1f6796	Just: fix Windows issues in codeql_test_run.py - Use posix=False for shlex.split on Windows to prevent backslashes in paths from being interpreted as escape characters - Prefer codeql.exe over the Unix shell wrapper on Windows Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-14 14:36:34 +02:00
Paolo Tranquilli	1d31394a8f	Just: fix MSYS2 path conversion for bazel targets on Windows On Windows Git Bash, MSYS2 converts // prefixes to / when passing arguments to non-MSYS programs, breaking Bazel target labels like //language-packs:foo. Set MSYS2_ARG_CONV_EXCL="*" to disable this. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-14 11:34:25 +02:00
Paolo Tranquilli	d59be76349	Merge remote-tracking branch 'origin/main' into redsun82/just2	2026-04-13 18:02:28 +02:00
Paolo Tranquilli	543c31f65d	Merge remote-tracking branch 'origin/main' into redsun82/just2	2026-04-10 14:19:13 +02:00
Paolo Tranquilli	223487aa53	Merge remote-tracking branch 'origin/main' into redsun82/just2	2026-04-02 17:35:24 +02:00
Paolo Tranquilli	cf317edfbb	Just: modernize justfiles for just 1.48.1 Use f-strings instead of `+` concatenation, remove `set unstable` (all previously unstable features are now stable), and add `[parallel]` to swift `extra-tests` recipe. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 17:26:00 +02:00
Paolo Tranquilli	b4dac99920	Just: add integration-tests justfiles for all languages Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 15:17:21 +02:00
Paolo Tranquilli	8a896ef775	Merge remote-tracking branch 'origin/main' into redsun82/just2	2026-04-02 14:31:09 +02:00
Paolo Tranquilli	4d4bb14e9c	Just: read python_version from env for nested just propagation Use env("python_version", "3") so that when the parent just process exports the variable, nested just calls (via language_tests.py) pick it up. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 14:24:11 +02:00
Paolo Tranquilli	5c41b1d4b8	Just: port actions to new language test definition Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:49:58 +02:00
Paolo Tranquilli	99151425f0	Just: port kotlin tests to new language test definition Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:49:27 +02:00
Paolo Tranquilli	d3b6590955	Just: port python to new language test definition Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:46:24 +02:00
Paolo Tranquilli	d358cf3be0	C++: Add conditional import for coding-standards recipe Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:41:43 +02:00
Paolo Tranquilli	5125835faf	C++: Port to new just-based language test definition Add justfiles for C++ following the pattern of other ported languages (go, rust, swift). Move consistency queries from semmle-code's semmlecode-cpp-consistency-queries/ to ql/cpp/ql/consistency-queries/. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:41:43 +02:00
Paolo Tranquilli	72d9afeb34	Just: port csharp, go, javascript and ruby to new language test definition Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:10:05 +02:00
Paolo Tranquilli	85b89d2f22	Just: port helper scripts from TypeScript to Python Replace `npx tsx`-based scripts with standard Python 3: - `codeql-test-run.ts` → `codeql_test_run.py` - `language-tests.ts` → `language_tests.py` - `forward-command.ts` → `forward_command.py` Uses `shlex.split` and `pathlib` instead of hand-rolled parsing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:10:05 +02:00
Paolo Tranquilli	fd97208960	Just: use bazel test with -as-test targets for dist building This avoids reinstalling dists when nothing changed, by leveraging bazel test's caching behavior with the existing -as-test target variants. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-04-02 12:07:45 +02:00
Paolo Tranquilli	994e5510bd	Merge branch 'main' into redsun82/just2	2026-03-10 14:02:14 +01:00
Paolo Tranquilli	0f28502e68	Merge branch 'main' into redsun82/just2	2025-11-14 12:28:00 +01:00
Paolo Tranquilli	469d09c9af	Merge branch 'main' into redsun82/just2	2025-08-14 15:05:44 +02:00
Paolo Tranquilli	9d52a08793	Just: add some docs in source	2025-08-12 10:00:17 +02:00
Paolo Tranquilli	db83285c9f	Merge branch 'main' into redsun82/just2	2025-08-12 09:59:46 +02:00
Paolo Tranquilli	15e8e4803d	Just: run prettier on `.ts` files	2025-08-12 09:46:27 +02:00
Paolo Tranquilli	c67e1230b6	Just: add `README.md`	2025-08-12 09:46:00 +02:00
Paolo Tranquilli	f1febac3ec	Merge branch 'main' into redsun82/just2	2025-08-11 14:06:16 +02:00
Paolo Tranquilli	4284d66afb	Merge branch 'main' into redsun82/just2	2025-07-18 15:27:26 +02:00
Paolo Tranquilli	0e3ee6efd7	Just: reorganize code and revamp formatting	2025-07-18 15:27:12 +02:00
Paolo Tranquilli	365b2ebd6d	Merge branch 'main' into redsun82/just2	2025-07-18 14:26:56 +02:00
Paolo Tranquilli	f2a6503efe	Just: use bazel directly for dist building	2025-07-18 14:26:48 +02:00
Paolo Tranquilli	7e7afbabcd	Merge branch 'main' into redsun82/just2	2025-07-17 16:57:44 +02:00
Paolo Tranquilli	103745b5d2	Just: group just invocations in forwarder and improve logging	2025-07-10 10:34:35 +02:00
Paolo Tranquilli	92672836dc	Merge branch 'main' into redsun82/just2	2025-07-10 10:17:03 +02:00
Paolo Tranquilli	c51f2f8780	Merge branch 'main' into redsun82/just2	2025-07-09 14:50:41 +02:00
Paolo Tranquilli	c9cda74195	Just: allow mixing different verb implementations This allows to mix different verb implementations in a single invocation, for example: ``` just build ql/rust ql/java just test ql/rust/ql/test/some/test ql/rust/ql/integrartion-test/some other ``` If a common justfile recipe is found, it is used for all arguments in one go. If on the other hand no common justfile recipe is found, each argument is processed separately in sequence. This does require that any flags passed are compatible with all recipes involved (like is the case for `--learn` or `--codeql=built` for language and integration tests).	2025-07-09 14:47:38 +02:00
Paolo Tranquilli	bd003c58a8	Just: add `_if_not_on_ci_just` helper, and add generation prerequisites	2025-07-08 17:22:27 +02:00
Paolo Tranquilli	08097157fd	Merge branch 'main' into redsun82/just2	2025-07-08 16:01:41 +02:00
Paolo Tranquilli	b8b01ce71c	Just: rename `_build` to `_build_dist`	2025-07-08 15:53:51 +02:00
Paolo Tranquilli	7f72f87204	Just: fix `just rust format` and similar	2025-07-08 15:50:37 +02:00
Paolo Tranquilli	aa09288462	Just: introduce aliases	2025-07-08 15:49:23 +02:00
Paolo Tranquilli	8ba7efd455	Just: fix mono-argument case for argumentless recipes	2025-07-08 15:41:18 +02:00
Paolo Tranquilli	bb467d4abf	Just: fix CI build for rust	2025-07-08 15:40:35 +02:00
Paolo Tranquilli	d987aa67ec	Merge branch 'main' into redsun82/just2	2025-07-08 14:06:30 +02:00
Paolo Tranquilli	e8bcbbd6df	Just: add `language-tests.ts` helper	2025-07-08 14:06:14 +02:00
Paolo Tranquilli	acc7e3f32d	Just: add `generate` prerequisite to rust ql tests	2025-07-08 10:52:37 +02:00
Paolo Tranquilli	c4305151c3	Just: simplify forwarder using `--justfile`	2025-07-08 10:52:15 +02:00
Paolo Tranquilli	fba96c4eae	Just: add root `lib.just`	2025-07-07 17:39:59 +02:00
Paolo Tranquilli	cb652f3dc8	Just: add `format` to just directory	2025-07-07 17:37:19 +02:00
Paolo Tranquilli	6e14111337	Just: use `--all-checks` and `--codeql` special flags, and relativize flags in forwarder	2025-07-07 17:35:06 +02:00
Paolo Tranquilli	d7d7cf920a	Just: format `ts` files	2025-07-07 15:52:53 +02:00
Paolo Tranquilli	a4acf0890e	Just: fix ram option for `codeql test run`	2025-07-07 15:52:20 +02:00
Paolo Tranquilli	812fc2349b	Merge branch 'main' into redsun82/just2	2025-07-07 15:50:09 +02:00
Paolo Tranquilli	5b9436a95f	Just: fix swift tests	2025-07-04 17:27:43 +02:00
Paolo Tranquilli	4768ebabee	Merge branch 'main' into redsun82/just2	2025-07-04 17:22:17 +02:00
Paolo Tranquilli	9e31fb50c8	Just: fix and add windows	2025-07-04 16:07:31 +02:00
Paolo Tranquilli	2dea9da38c	Just: add `codegen`	2025-07-04 13:45:45 +02:00
Paolo Tranquilli	1202af1c5c	Just: fix for windows	2025-07-04 13:45:10 +02:00
Paolo Tranquilli	9c284b1778	Just: introduce scaffolding for common verbs, and apply to rust	2025-07-04 12:32:14 +02:00