Merge branch 'main' into jb1/isLibraryFile-nomagic

Author: ropwareJB

.bazelrc

@@ -1,5 +1,4 @@
 common --enable_platform_specific_config
-common --enable_bzlmod
 # because we use --override_module with `%workspace%`, the lock file is not stable
 common --lockfile_mode=off
 
@@ -25,6 +24,5 @@ common --registry=https://bcr.bazel.build
 
 common --@rules_dotnet//dotnet/settings:strict_deps=false
 common --experimental_isolated_extension_usages
-common --incompatible_use_plus_in_repo_names
 
 try-import %workspace%/local.bazelrc

.bazelversion

@@ -1 +1 @@
-5f5d70b6c4d2fb1a889479569107f1692239e8a7
+8.0.0rc1

.github/codeql/codeql-config.yml

@@ -9,3 +9,5 @@ paths-ignore:
   - '/python/'
   - '/javascript/ql/test'
   - '/javascript/extractor/tests'
+  - '/rust/ql/test'
+  - '/rust/ql/integration-tests'

.github/labeler.yml

@@ -38,6 +38,10 @@ Swift:
   - swift/**/*
   - change-notes/**/*swift*
 
+Actions:
+  - actions/**/*
+  - change-notes/**/*actions*
+
 documentation:
   - "**/*.qhelp"
   - "**/*.md"

.github/workflows/build-ripunzip.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04, macos-12, windows-2019]
+        os: [ubuntu-20.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/powershell-pr-check.yml

@@ -0,0 +1,28 @@
+name: PowerShell PR Check
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  powershell-pr-check:
+    name: powershell-pr-check
+    runs-on: ubuntu-latest
+    if: github.repository == 'microsoft/codeql'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.WORKFLOW_TOKEN }}
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+        with:
+          channel: release
+      - name: Compile PowerShell Queries
+        run: |
+          codeql query compile --check-only --keep-going powershell/ql/src

.github/workflows/rust-analysis.yml

@@ -0,0 +1,64 @@
+name: "Code scanning - Rust"
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+    paths:
+      - '**/*.rs'
+      - '**/Cargo.toml'
+      - '.github/codeql/codeql-config.yml'
+      - '.github/workflows/rust-analysis.yml'
+  schedule:
+    - cron: '0 9 * * 1'
+
+env:
+  CODEQL_ENABLE_EXPERIMENTAL_FEATURES: "true"
+
+jobs:
+  analyze:
+    strategy:
+      matrix:
+        language: [ 'rust' ]
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Query latest nightly CodeQL bundle
+      shell: bash
+      id: codeql
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: |
+        REPO=dsp-testing/codeql-cli-nightlies
+        TAG=$(
+          gh release list -R $REPO -L1 --exclude-drafts --json tagName -q ".[] | .tagName"
+        )
+        echo "nightly_bundle=https://github.com/$REPO/releases/download/$TAG/codeql-bundle-linux64.tar.zst" \
+          | tee -a "$GITHUB_OUTPUT"
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@main
+      with:
+        tools: ${{ steps.codeql.outputs.nightly_bundle }}
+        languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/codeql-config.yml
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@main
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@main

.github/workflows/swift.yml

@@ -44,7 +44,7 @@ jobs:
   # without waiting for the macOS build
   build-and-test-macos:
     if: github.repository_owner == 'github'
-    runs-on: macos-12-xl
+    runs-on: macos-13-xlarge
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
@@ -64,7 +64,7 @@ jobs:
   qltests-macos:
     if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
     needs: build-and-test-macos
-    runs-on: macos-12-xl
+    runs-on: macos-13-xlarge
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests

.github/workflows/sync-main.yml

@@ -21,17 +21,22 @@ jobs:
         run: |
           git config user.name Dilan Bhalla
           git config user.email [email protected]
-      - name: Fetch
+      - name: Sync Main
         shell: bash
         run: |
           set -x
           git fetch
           git remote add upstream https://github.com/github/codeql.git
           git fetch upstream --tags --force
-      - name: Sync Main
+          git merge codeql-cli/latest
+      - name: Setup CodeQL
+        uses: ./.github/actions/fetch-codeql
+      - name: Compile PowerShell Queries
+        run: |
+          codeql query compile --check-only --keep-going powershell/ql/src
+      - name: Complete Sync
         shell: bash
         run: |
-          git merge codeql-cli/latest
           git push origin main
           git push origin --tags --force
 

CODEOWNERS

@@ -23,7 +23,6 @@
 /ql/ @github/codeql-ql-for-ql-reviewers
 
 # Bazel (excluding BUILD.bazel files)
-WORKSPACE.bazel @github/codeql-ci-reviewers
 MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
 .bazelrc @github/codeql-ci-reviewers