github
diff --git a/‎.bazelrc
Lines changed: 7 additions & 0 deletions b/‎.bazelrc
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/copilot-instructions.md
Lines changed: 4 additions & 0 deletions b/‎.github/copilot-instructions.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/check-overlay-annotations.yml
Lines changed: 23 additions & 0 deletions b/‎.github/workflows/check-overlay-annotations.yml
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/workflows/go-tests-other-os.yml
Lines changed: 0 additions & 35 deletions b/‎.github/workflows/go-tests-other-os.yml
Lines changed: 0 additions & 35 deletions
diff --git a/‎.github/workflows/go-tests-rtjo.yml
Lines changed: 0 additions & 22 deletions b/‎.github/workflows/go-tests-rtjo.yml
Lines changed: 0 additions & 22 deletions
diff --git a/‎.github/workflows/go-tests.yml
Lines changed: 1 addition & 12 deletions b/‎.github/workflows/go-tests.yml
Lines changed: 1 addition & 12 deletions
diff --git a/‎MODULE.bazel
Lines changed: 34 additions & 4 deletions b/‎MODULE.bazel
Lines changed: 34 additions & 4 deletions
diff --git a/‎actions/ql/lib/CHANGELOG.md
Lines changed: 10 additions & 0 deletions b/‎actions/ql/lib/CHANGELOG.md
Lines changed: 10 additions & 0 deletions
diff --git a/‎actions/ql/lib/change-notes/released/0.4.13.md
Lines changed: 5 additions & 0 deletions b/‎actions/ql/lib/change-notes/released/0.4.13.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎actions/ql/lib/change-notes/released/0.4.14.md
Lines changed: 3 additions & 0 deletions b/‎actions/ql/lib/change-notes/released/0.4.14.md
Lines changed: 3 additions & 0 deletions
@@ -30,6 +30,13 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 
+# we only configure a nightly toolchain
+common --@rules_rust//rust/toolchain/channel=nightly
+
+# rust does not like the gold linker, while bazel does by default, so let's avoid using it
+common:linux --linkopt=-fuse-ld=lld
+common:macos --linkopt=-fuse-ld=lld
+
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
 common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
 
 
@@ -0,0 +1,4 @@
+When reviewing code:
+* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
+* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
+  well enough to make comments in these languages. You can still check for typos or comment improvements.
@@ -0,0 +1,23 @@
+name: Check overlay annotations
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+
+permissions:
+  contents: read
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check overlay annotations
+        run: python config/add-overlay-annotations.py --check java
+
@@ -1,20 +1,9 @@
 name: "Go: Run Tests"
 on:
-  push:
-    paths:
-      - "go/**"
-      - "!go/documentation/**"
-      - "shared/**"
-      - .github/workflows/go-tests.yml
-      - .github/actions/**
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
   pull_request:
     paths:
       - "go/**"
-      - "!go/documentation/**"      
+      - "!go/documentation/**"
       - "shared/**"
       - .github/workflows/go-tests.yml
       - .github/actions/**
 
@@ -15,7 +15,7 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.11")
-bazel_dep(name = "rules_go", version = "0.50.1")
+bazel_dep(name = "rules_go", version = "0.56.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.58.0")
+bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -37,7 +37,11 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-RUST_VERSION = "1.86.0"
+# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
+# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
+# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
+# required in this repo
+RUST_VERSION = "nightly/2025-08-01"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -47,6 +51,29 @@ rust.toolchain(
         "x86_64-apple-darwin",
         "aarch64-apple-darwin",
     ],
+    # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
+    sha256s = {
+        "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
+        "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
+        "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
+        "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
+        "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
+        "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
+        "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
+        "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
+        "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
+        "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
+        "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
+        "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
+        "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
+        "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
+        "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
+        "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
+        "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
+        "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
+        "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
+        "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
+    },
     versions = [RUST_VERSION],
 )
 use_repo(rust, "rust_toolchains")
@@ -206,6 +233,7 @@ use_repo(
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
     "kotlin-compiler-2.2.0-Beta1",
+    "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -218,6 +246,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
     "kotlin-compiler-embeddable-2.2.0-Beta1",
+    "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -230,10 +259,11 @@ use_repo(
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
     "kotlin-stdlib-2.2.0-Beta1",
+    "kotlin-stdlib-2.2.20-Beta2",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.24.0")
+go_sdk.download(version = "1.25.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 
@@ -1,3 +1,13 @@
+## 0.4.14
+
+No user-facing changes.
+
+## 0.4.13
+
+### Bug Fixes
+
+* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
+
 ## 0.4.12
 
 ### Minor Analysis Improvements
 
@@ -0,0 +1,5 @@
+## 0.4.13
+
+### Bug Fixes
+
+* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
@@ -0,0 +1,3 @@
+## 0.4.14
+
+No user-facing changes.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## 0.4.14`
	`2`	`+`
	`3`	`+No user-facing changes.`