github
diff --git a/‎.github/workflows/csharp-qltest.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/csharp-qltest.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ruby-qltest-rtjo.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ruby-qltest-rtjo.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ruby-qltest.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ruby-qltest.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/swift.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/swift.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎Cargo.lock
Lines changed: 46 additions & 0 deletions b/‎Cargo.lock
Lines changed: 46 additions & 0 deletions
diff --git a/‎MODULE.bazel
Lines changed: 1 addition & 0 deletions b/‎MODULE.bazel
Lines changed: 1 addition & 0 deletions
diff --git a/‎actions/ql/lib/ext/config/actions_permissions.yml
Lines changed: 9 additions & 4 deletions b/‎actions/ql/lib/ext/config/actions_permissions.yml
Lines changed: 9 additions & 4 deletions
diff --git a/‎actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md
Lines changed: 4 additions & 0 deletions b/‎actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml
Lines changed: 10 additions & 0 deletions b/‎actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml
Lines changed: 10 additions & 0 deletions
diff --git a/‎actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml
Lines changed: 10 additions & 0 deletions b/‎actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml
Lines changed: 10 additions & 0 deletions
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-13-xlarge]
+        runner: [ubuntu-latest, macos-15-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:
 
@@ -124,6 +124,7 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
+    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
@@ -22,16 +22,21 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/deploy-pages", "pages: write"]
+      - ["actions/deploy-pages", "id-token: write"]
+      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "contents: read"]
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "contents: read"]
       - ["actions/reusable-workflows", "actions: read"]
+      - ["actions/ai-inference", "contents: read"]
+      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
+      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-
-      
+      # No permissions needed for actions/configure-pages
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/ai-inference
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,7 @@ use_repo(`
`124`	`124`	`"vendor_ts__tree-sitter-ruby-0.23.1",`
`125`	`125`	`"vendor_ts__triomphe-0.1.14",`
`126`	`126`	`"vendor_ts__ungrammar-1.16.1",`
	`127`	`+ "vendor_ts__zstd-0.13.3",`
`127`	`128`	`)`
`128`	`129`
`129`	`130`	`http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.