github
diff --git a/‎.bazelrc
+3 b/‎.bazelrc
+3
diff --git a/‎actions/ql/lib/CHANGELOG.md
+7 b/‎actions/ql/lib/CHANGELOG.md
+7
diff --git a/‎actions/ql/lib/change-notes/2025-01-20-bash.md
-4 b/‎actions/ql/lib/change-notes/2025-01-20-bash.md
-4
diff --git a/‎actions/ql/lib/change-notes/2025-01-22-version.md
-4 b/‎actions/ql/lib/change-notes/2025-01-22-version.md
-4
diff --git a/‎actions/ql/lib/change-notes/released/0.4.2.md
+6 b/‎actions/ql/lib/change-notes/released/0.4.2.md
+6
diff --git a/‎actions/ql/lib/codeql-pack.release.yml
+1-1 b/‎actions/ql/lib/codeql-pack.release.yml
+1-1
diff --git a/‎actions/ql/lib/qlpack.yml
+1-1 b/‎actions/ql/lib/qlpack.yml
+1-1
diff --git a/‎actions/ql/src/CHANGELOG.md
+4 b/‎actions/ql/src/CHANGELOG.md
+4
diff --git a/‎actions/ql/src/change-notes/released/0.4.2.md
+3 b/‎actions/ql/src/change-notes/released/0.4.2.md
+3
diff --git a/‎actions/ql/src/codeql-pack.release.yml
+1-1 b/‎actions/ql/src/codeql-pack.release.yml
+1-1
diff --git a/‎actions/ql/src/qlpack.yml
+1-1 b/‎actions/ql/src/qlpack.yml
+1-1
@@ -2,6 +2,9 @@ common --enable_platform_specific_config
 # because we use --override_module with `%workspace%`, the lock file is not stable
 common --lockfile_mode=off
 
+# Build release binaries by default, can be overwritten to in local.bazelrc and set to `fastbuild` or `dbg`
+build --compilation_mode opt
+
 # when building from this repository in isolation, the internal repository will not be found at ..
 # where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
 # that we can build things that do not rely on that
 
@@ -1,3 +1,10 @@
+## 0.4.2
+
+### Bug Fixes
+
+* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
+
 ## 0.4.1
 
 No user-facing changes.
 
@@ -0,0 +1,6 @@
+## 0.4.2
+
+### Bug Fixes
+
+* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.4.2
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.2-dev
+version: 0.4.3-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
 
@@ -1,3 +1,7 @@
+## 0.4.2
+
+No user-facing changes.
+
 ## 0.4.1
 
 No user-facing changes.
 
@@ -0,0 +1,3 @@
+## 0.4.2
+
+No user-facing changes.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.1
+lastReleaseVersion: 0.4.2
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.4.2-dev
+version: 0.4.3-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`---`
`2`		`-lastReleaseVersion: 0.4.1`
	`2`	`+lastReleaseVersion: 0.4.2`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## 0.4.2`
	`2`	`+`
	`3`	`+No user-facing changes.`