Merge tag 'codeql-cli/latest'

Compatible with the latest released version of the CodeQL CLI

.bazelrc

@@ -24,4 +24,12 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 
+# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
+common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
+
+build --java_language_version=17
+build --tool_java_language_version=17
+build --tool_java_runtime_version=remotejdk_17
+build --java_runtime_version=remotejdk_17
+
 try-import %workspace%/local.bazelrc

.bazelversion

@@ -1 +1 @@
-8.0.0rc1
+8.0.0

.gitattributes

@@ -86,4 +86,5 @@
 /misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
 
 # swift prebuilt resources
-/swift/third_party/resource-dir/*.zip filter=lfs diff=lfs merge=lfs -text
+/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
+/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text

.github/codeql/codeql-config.yml

@@ -9,5 +9,4 @@ paths-ignore:
   - '/python/'
   - '/javascript/ql/test'
   - '/javascript/extractor/tests'
-  - '/rust/ql/test'
-  - '/rust/ql/integration-tests'
+  - '/rust/ql'

.github/workflows/check-qldoc.yml

@@ -30,7 +30,8 @@ jobs:
         run: |
           EXIT_CODE=0
           # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
-          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared))[a-z]*/ql/lib' || true; } | sort -u)"
+          # TODO: remove the actions exception once https://github.com/github/codeql-team/issues/3656 is fixed
+          changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)"
           for pack_dir in ${changed_lib_packs}; do
             lang="${pack_dir%/ql/lib}"
             codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"

.github/workflows/cpp-swift-analysis.yml

@@ -19,7 +19,7 @@ on:
 jobs:
   CodeQL-Build:
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     permissions:
       contents: read
@@ -38,12 +38,10 @@ jobs:
         languages: cpp
         config-file: ./.github/codeql/codeql-config.yml
 
-    - name: "[Ubuntu] Remove GCC 13 from runner image"
-      shell: bash
+    - name: Install dependencies
       run: |
-        sudo rm -f /etc/apt/sources.list.d/ubuntu-toolchain-r-ubuntu-test-jammy.list
         sudo apt-get update
-        sudo apt-get install -y --allow-downgrades libc6=2.35-* libc6-dev=2.35-* libstdc++6=12.3.0-* libgcc-s1=12.3.0-*
+        sudo apt-get install -y uuid-dev
 
     - name: "Build Swift extractor using Bazel"
       run: |

.github/workflows/ql-for-ql-tests.yml

@@ -40,7 +40,7 @@ jobs:
             ql/target
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
       - name: Check formatting
-        run: cd ql; cargo fmt --all -- --check
+        run: cd ql; cargo fmt -- --check
       - name: Build extractor
         run: |
           cd ql;

.github/workflows/ruby-build.yml

@@ -79,7 +79,7 @@ jobs:
           key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
       - name: Check formatting
         if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo fmt --all -- --check
+        run: cd extractor && cargo fmt -- --check
       - name: Build
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cd extractor && cargo build --verbose

.github/workflows/rust.yml

@@ -23,26 +23,48 @@ permissions:
   contents: read
 
 jobs:
-  rust-code:
+  rust-ast-generator:
     runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: rust/ast-generator
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+      - name: Inject sources
+        shell: bash
+        run: |
+          bazel run //rust/ast-generator:inject-sources
       - name: Format
-        working-directory: rust/extractor
         shell: bash
         run: |
           cargo fmt --check
       - name: Compilation
-        working-directory: rust/extractor
         shell: bash
         run: cargo check
       - name: Clippy
+        shell: bash
+        run: |
+          cargo clippy --no-deps -- -D warnings
+  rust-code:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
         working-directory: rust/extractor
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Format
+        shell: bash
+        run: |
+          cargo fmt --check
+      - name: Compilation
+        shell: bash
+        run: cargo check
+      - name: Clippy
         shell: bash
         run: |
-          cargo clippy --fix
-          git diff --exit-code
+          cargo clippy --no-deps -- -D warnings
   rust-codegen:
     runs-on: ubuntu-latest
     steps:

.github/workflows/swift.yml

@@ -50,17 +50,10 @@ jobs:
       - uses: ./swift/actions/build-and-test
   build-and-test-linux:
     if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest-xl
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
-  qltests-linux:
-    if: github.repository_owner == 'github'
-    needs: build-and-test-linux
-    runs-on: ubuntu-latest-xl
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./swift/actions/run-ql-tests
   qltests-macos:
     if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
     needs: build-and-test-macos
@@ -109,3 +102,10 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/fetch-codeql
       - uses: ./swift/actions/database-upgrade-scripts
+  check-no-override:
+    if : github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - shell: bash
+        run: bazel test //swift/... --test_tag_filters=override --test_output=errors

.github/workflows/tree-sitter-extractor-test.yml

@@ -32,17 +32,17 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Check formatting
-        run: cargo fmt --all -- --check
+        run: cargo fmt -- --check
       - name: Run tests
         run: cargo test --verbose
   fmt:
-    runs-on: ubuntu-latest  
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Check formatting
         run: cargo fmt --check
   clippy:
-    runs-on: ubuntu-latest  
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Run clippy

.gitignore

@@ -8,7 +8,7 @@
 
 # qltest projects and artifacts
 *.actual
-*/ql/test/**/*.testproj
+*/ql/test*/**/*.testproj
 */ql/test/**/go.sum
 
 # Visual studio temporaries, except a file used by QL4VS

.vscode/tasks.json

@@ -81,6 +81,7 @@
             "description": "Language",
             "options":
             [
+                "actions",
                 "go",
                 "java",
                 "javascript",

CODEOWNERS

@@ -1,3 +1,4 @@
+/actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
 /csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor