Sync Main (autogenerated)

.github/workflows/build-ripunzip.yml

@@ -1,29 +1,58 @@
-name: Build runzip
+name: Build ripunzip
 
 on:
   workflow_dispatch:
     inputs:
       ripunzip-version:
-        description: "what reference to checktout from google/runzip"
+        description: What reference to checkout from google/ripunzip. Latest by default
         required: false
-        default: v2.0.2
       openssl-version:
-        description: "what reference to checkout from openssl/openssl for Linux"
+        description: What reference to checkout from openssl/openssl for Linux. Latest by default
         required: false
-        default: openssl-3.5.0
+      open-pr:
+        description: Open a pull request updating the ripunzip versions committed to lfs
+        required: false
+        default: true  # will be false on PRs
+  pull_request:
+    paths:
+      - .github/workflows/build-ripunzip.yml
 
+permissions: {}
+
 jobs:
+  versions:
+    runs-on: ubuntu-slim
+    outputs:
+      ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }}
+      openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }}
+    steps:
+      - name: Fetch latest ripunzip version
+        id: fetch-ripunzip-version
+        if: "!inputs.ripunzip-version"
+        run: &fetch-version
+          echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT
+        env:
+          REPO: "google/ripunzip"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fetch latest openssl version
+        id: fetch-openssl-version
+        if: "!inputs.openssl-version"
+        run: *fetch-version
+        env:
+          REPO: "openssl/openssl"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build:
+    needs: versions
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
+        os: [ubuntu-24.04, macos-15, windows-2025]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
         with:
           repository: google/ripunzip
-          ref: ${{ inputs.ripunzip-version }}
+          ref: ${{ needs.versions.outputs.ripunzip-version }}
       # we need to avoid ripunzip dynamically linking into libssl
       # see https://github.com/sfackler/rust-openssl/issues/183
       - if: runner.os == 'Linux'
@@ -32,7 +61,7 @@ jobs:
         with:
           repository: openssl/openssl
           path: openssl
-          ref: ${{ inputs.openssl-version }}
+          ref: ${{ needs.versions.outputs.openssl-version }}
       - if: runner.os == 'Linux'
         name: build and install openssl with fPIC
         shell: bash
@@ -64,11 +93,74 @@ jobs:
           lipo -create -output ripunzip-macos \
             -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
             -arch arm64 target/aarch64-apple-darwin/release/ripunzip
-      - uses: actions/upload-artifact@v4
+      - name: Archive
+        shell: bash
+        run: |
+          tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]')
+      - name: Upload built binary
+        uses: actions/upload-artifact@v4
         with:
           name: ripunzip-${{ runner.os }}
-          path: ripunzip-*
+          path: ripunzip-${{ runner.os }}.tar.zst
+          retention-days: 5
+          compression: 0
       - name: Check built binary
         shell: bash
         run: |
+          rm -f ripunzip-*.tar.zst
           ./ripunzip-* --version
+  publish:
+    needs: [versions, build]
+    if: inputs.open-pr == 'true'
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-slim
+    steps:
+      # workaround for git-lfs not being installed yet on ubuntu-slim runners
+      - name: Ensure git-lfs is installed
+        shell: bash
+        run: |
+          if which git-lfs &>/dev/null; then
+            echo "git-lfs is already installed"
+            exit 0
+          fi
+          cd $TMP
+          gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber
+          tar xzf git-lfs-linux-amd64-*.tar.gz
+          rm git-lfs-linux-amd64-*.tar.gz
+          cd git-lfs-*
+          pwd | tee -a $GITHUB_PATH
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v5
+        with:
+          sparse-checkout: |
+            .github
+            misc/ripunzip
+          lfs: true
+      - name: Download built binaries
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+          path: misc/ripunzip
+      - name: Open PR
+        shell: bash
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git switch -c update-ripunzip
+          git add misc/ripunzip
+          git commit -m "Update ripunzip binaries to version $VERSION"
+          git push --set-upstream origin update-ripunzip --force
+          TITLE="Update ripunzip binaries to version $VERSION"
+          gh pr create \
+            --draft \
+            --title "$TITLE" \
+            --body "Automated update of ripunzip binaries." \
+            --assignee "$ACTOR" ||
+              (gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo)
+        env:
+          ACTOR: ${{ github.actor }}
+          VERSION: ${{ needs.versions.outputs.ripunzip-version }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CODEOWNERS

@@ -5,19 +5,29 @@
 /actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
+/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
+/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor @github/code-scanning-language-coverage
 /go/ @github/codeql-go
+/go/codeql-tools/ @github/codeql-go @github/code-scanning-language-coverage
+/go/downgrades/ @github/codeql-go @github/code-scanning-language-coverage
+/go/extractor/ @github/codeql-go @github/code-scanning-language-coverage
+/go/extractor-smoke-test/ @github/codeql-go @github/code-scanning-language-coverage
+/go/ql/test/extractor-tests/ @github/codeql-go @github/code-scanning-language-coverage
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
+/javascript/extractor/ @github/codeql-javascript @github/code-scanning-language-coverage
 /python/ @github/codeql-python
+/python/extractor/ @github/codeql-python @github/code-scanning-language-coverage
 /ql/ @github/codeql-ql-for-ql-reviewers
 /ruby/ @github/codeql-ruby
+/ruby/extractor/ @github/codeql-ruby @github/code-scanning-language-coverage
 /rust/ @github/codeql-rust
+/rust/extractor/ @github/codeql-rust @github/code-scanning-language-coverage
 /shared/ @github/codeql-shared-libraries-reviewers
 /swift/ @github/codeql-swift
+/swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
-/java/kotlin-extractor/ @github/codeql-kotlin
+/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 

MODULE.bazel

@@ -273,19 +273,19 @@ lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
 
 lfs_archive(
     name = "ripunzip-linux",
-    src = "//misc/ripunzip:ripunzip-Linux.zip",
+    src = "//misc/ripunzip:ripunzip-Linux.tar.zst",
     build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
 lfs_archive(
     name = "ripunzip-windows",
-    src = "//misc/ripunzip:ripunzip-Windows.zip",
+    src = "//misc/ripunzip:ripunzip-Windows.tar.zst",
     build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
 lfs_archive(
     name = "ripunzip-macos",
-    src = "//misc/ripunzip:ripunzip-macOS.zip",
+    src = "//misc/ripunzip:ripunzip-macOS.tar.zst",
     build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.21
+
+No user-facing changes.
+
 ## 0.4.20
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.21.md

@@ -0,0 +1,3 @@
+## 0.4.21
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.20
+lastReleaseVersion: 0.4.21

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.20
+version: 0.4.21
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.13
+
+No user-facing changes.
+
 ## 0.6.12
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.13.md

@@ -0,0 +1,3 @@
+## 0.6.13
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.12
+lastReleaseVersion: 0.6.13

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.12
+version: 0.6.13
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]