github
diff --git a/‎.bazelrc
Lines changed: 8 additions & 0 deletions b/‎.bazelrc
Lines changed: 8 additions & 0 deletions
diff --git a/‎.bazelversion
Lines changed: 1 addition & 1 deletion b/‎.bazelversion
Lines changed: 1 addition & 1 deletion
diff --git a/‎.clang-format
Lines changed: 1 addition & 0 deletions b/‎.clang-format
Lines changed: 1 addition & 0 deletions
diff --git a/‎.gitattributes
Lines changed: 7 additions & 0 deletions b/‎.gitattributes
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/labeler.yml
Lines changed: 1 addition & 1 deletion b/‎.github/labeler.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/check-change-note.yml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/check-change-note.yml
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/check-implicit-this.yml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/check-implicit-this.yml
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/check-qldoc.yml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/check-qldoc.yml
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/check-query-ids.yml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/check-query-ids.yml
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/close-stale.yml
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/close-stale.yml
Lines changed: 3 additions & 0 deletions
@@ -1,4 +1,12 @@
 common --enable_platform_specific_config
+common --enable_bzlmod
+# because we use --override_module with `%workspace%`, the lock file is not stable
+common --lockfile_mode=off
+
+# when building from this repository in isolation, the internal repository will not be found at ..
+# where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
+# that we can build things that do not rely on that
+common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
 
@@ -1 +1 @@
-6.3.1
+7.0.2
@@ -0,0 +1 @@
+DisableFormat: true
@@ -71,3 +71,10 @@ go/extractor/opencsv/CSVReader.java -text
 # `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
 javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
+
+# Auto-generated modeling for Python
+python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
+
+# auto-generated bazel lock file
+ruby/extractor/cargo-bazel-lock.json linguist-generated=true
+ruby/extractor/cargo-bazel-lock.json -merge
@@ -20,7 +20,7 @@ JS:
 
 Kotlin:
   - java/kotlin-extractor/**/*
-  - java/ql/test/kotlin/**/*
+  - java/ql/test-kotlin*/**/*
 
 Python:
   - python/**/*
 
@@ -1,5 +1,8 @@
 name: Check change note
 
+permissions:
+  pull-requests: read
+
 on:
   pull_request_target:
     types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
 
@@ -9,6 +9,9 @@ on:
       - main
       - "rc/*"
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
 
@@ -10,6 +10,9 @@ on:
       - main
       - "rc/*"
 
+permissions:
+  contents: read
+
 jobs:
   qldoc:
     runs-on: ubuntu-latest
 
@@ -11,6 +11,9 @@ on:
       - "rc/*"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Check query IDs
 
@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  issues: write
+
 jobs:
   stale:
     if: github.repository == 'github/codeql'