Merge branch 'main' into oscarsj/migrate-builders-macos-15

Author: oscarsj

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.4.6
+
+### Bug Fixes
+
+* The query `actions/code-injection/medium` now produces alerts for injection
+  vulnerabilities on `pull_request` events.
+
 ## 0.4.5
 
 No user-facing changes.

actions/ql/lib/change-notes/2025-03-20-code-injection-pr.md renamed to actions/ql/lib/change-notes/released/0.4.6.md

@@ -1,5 +1,6 @@
----
-category: fix
----
+## 0.4.6
+
+### Bug Fixes
+
 * The query `actions/code-injection/medium` now produces alerts for injection
-  vulnerabilities on `pull_request` events.
+  vulnerabilities on `pull_request` events.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.5
+lastReleaseVersion: 0.4.6

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.6-dev
+version: 0.4.7-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.5.3
+
+### Bug Fixes
+
+* Fixed typos in the query and alert titles for the queries
+  `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
+  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
+
 ## 0.5.2
 
 No user-facing changes.
@@ -7,9 +15,10 @@ No user-facing changes.
 ### Bug Fixes
 
 * The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
-  Immutable Actions feature is not yet available for customer use. The query remains in the
-  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
-  available, the query will be updated to report alerts again.
+  Immutable Actions feature is not yet available for customer use. The query has also been moved
+  to the experimental folder and will not be used in code scanning unless it is explicitly added
+  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
+  be updated to report alerts again.
 
 ## 0.5.0
 

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a priviledged context
+ * @name Checkout of untrusted code in a privileged context
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.

actions/ql/src/change-notes/2025-03-13-environment-query-names.md renamed to actions/ql/src/change-notes/released/0.5.3.md

@@ -1,6 +1,7 @@
----
-category: fix
----
+## 0.5.3
+
+### Bug Fixes
+
 * Fixed typos in the query and alert titles for the queries
   `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
-  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
+  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.3-dev
+version: 0.5.4-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 4.1.0
+
+### New Features
+
+* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
+
 ## 4.0.3
 
 No user-facing changes.