Merge branch 'main' into redsun82/just2

Author: redsun82

.bazelrc

@@ -33,10 +33,6 @@ common --@rules_dotnet//dotnet/settings:strict_deps=false
 # we only configure a nightly toolchain
 common --@rules_rust//rust/toolchain/channel=nightly
 
-# rust does not like the gold linker, while bazel does by default, so let's avoid using it
-common:linux --linkopt=-fuse-ld=lld
-common:macos --linkopt=-fuse-ld=lld
-
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
 common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
 

.github/copilot-instructions.md

@@ -0,0 +1,4 @@
+---
+applyTo: "**/*.expected"
+---
+Ignore these files. These are generated to be correct by running the tests, and should not be edited manually.

.github/instructions/expected-files.instructions.md

@@ -0,0 +1,6 @@
+---
+applyTo: "**/*.ql,**/*.qll"
+---
+When reviewing these QL files, do not make any comment on the code itself. You don't understand the QL programming language well enough yet. You can only make comments about the following aspects:
+* comments (lines starting with `//` or block comments enclosed in `/* ... */`): you can suggest improvements to the clarity of comments, or point out spelling mistakes
+* typos in identifiers

.github/instructions/ql-files.instructions.md

@@ -1,38 +1,67 @@
-name: Build runzip
+name: Build ripunzip
 
 on:
   workflow_dispatch:
     inputs:
       ripunzip-version:
-        description: "what reference to checktout from google/runzip"
+        description: What reference to checkout from google/ripunzip. Latest by default
         required: false
-        default: v2.0.2
       openssl-version:
-        description: "what reference to checkout from openssl/openssl for Linux"
+        description: What reference to checkout from openssl/openssl for Linux. Latest by default
         required: false
-        default: openssl-3.5.0
+      open-pr:
+        description: Open a pull request updating the ripunzip versions committed to lfs
+        required: false
+        default: true  # will be false on PRs
+  pull_request:
+    paths:
+      - .github/workflows/build-ripunzip.yml
 
+permissions: {}
+  
 jobs:
+  versions:
+    runs-on: ubuntu-slim
+    outputs:
+      ripunzip-version: ${{ inputs.ripunzip-version || steps.fetch-ripunzip-version.outputs.version }}
+      openssl-version: ${{ inputs.openssl-version || steps.fetch-openssl-version.outputs.version }}
+    steps:
+      - name: Fetch latest ripunzip version
+        id: fetch-ripunzip-version
+        if: "!inputs.ripunzip-version"
+        run: &fetch-version
+          echo "version=$(gh release view --repo $REPO --json tagName --jq .tagName)" | tee -a $GITHUB_OUTPUT
+        env:
+          REPO: "google/ripunzip"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fetch latest openssl version
+        id: fetch-openssl-version
+        if: "!inputs.openssl-version"
+        run: *fetch-version
+        env:
+          REPO: "openssl/openssl"
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   build:
+    needs: versions
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
+        os: [ubuntu-24.04, macos-15, windows-2025]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           repository: google/ripunzip
-          ref: ${{ inputs.ripunzip-version }}
+          ref: ${{ needs.versions.outputs.ripunzip-version }}
       # we need to avoid ripunzip dynamically linking into libssl
       # see https://github.com/sfackler/rust-openssl/issues/183
       - if: runner.os == 'Linux'
         name: checkout openssl
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: openssl/openssl
           path: openssl
-          ref: ${{ inputs.openssl-version }}
+          ref: ${{ needs.versions.outputs.openssl-version }}
       - if: runner.os == 'Linux'
         name: build and install openssl with fPIC
         shell: bash
@@ -64,11 +93,74 @@ jobs:
           lipo -create -output ripunzip-macos \
             -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
             -arch arm64 target/aarch64-apple-darwin/release/ripunzip
-      - uses: actions/upload-artifact@v4
+      - name: Archive
+        shell: bash
+        run: |
+          tar acf ripunzip-$RUNNER_OS.tar.zst ripunzip-$(echo $RUNNER_OS | tr '[:upper:]' '[:lower:]')
+      - name: Upload built binary
+        uses: actions/upload-artifact@v4
         with:
           name: ripunzip-${{ runner.os }}
-          path: ripunzip-*
+          path: ripunzip-${{ runner.os }}.tar.zst
+          retention-days: 5
+          compression: 0
       - name: Check built binary
         shell: bash
         run: |
+          rm -f ripunzip-*.tar.zst
           ./ripunzip-* --version
+  publish:
+    needs: [versions, build]
+    if: inputs.open-pr == 'true'
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-slim
+    steps:
+      # workaround for git-lfs not being installed yet on ubuntu-slim runners
+      - name: Ensure git-lfs is installed
+        shell: bash
+        run: |
+          if which git-lfs &>/dev/null; then
+            echo "git-lfs is already installed"
+            exit 0
+          fi
+          cd $TMP
+          gh release download --repo git-lfs/git-lfs --pattern "git-lfs-linux-amd64-*.tar.gz" --clobber
+          tar xzf git-lfs-linux-amd64-*.tar.gz
+          rm git-lfs-linux-amd64-*.tar.gz
+          cd git-lfs-*
+          pwd | tee -a $GITHUB_PATH
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v5
+        with:
+          sparse-checkout: |
+            .github
+            misc/ripunzip
+          lfs: true
+      - name: Download built binaries
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+          path: misc/ripunzip
+      - name: Open PR
+        shell: bash
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git switch -c update-ripunzip
+          git add misc/ripunzip
+          git commit -m "Update ripunzip binaries to version $VERSION"
+          git push --set-upstream origin update-ripunzip --force
+          TITLE="Update ripunzip binaries to version $VERSION"
+          gh pr create \
+            --draft \
+            --title "$TITLE" \
+            --body "Automated update of ripunzip binaries." \
+            --assignee "$ACTOR" ||
+              (gh pr edit --title "$TITLE" --add-assignee "$ACTOR" && gh pr ready --undo)
+        env:
+          ACTOR: ${{ github.actor }}
+          VERSION: ${{ needs.versions.outputs.ripunzip-version }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-ripunzip.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check bazel formatting
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         with:

.github/workflows/buildifier.yml

@@ -16,7 +16,7 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check that implicit this warnings is enabled for all packs
         shell: bash
         run: |

.github/workflows/check-implicit-this.yml

@@ -17,7 +17,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check overlay annotations
         run: python config/add-overlay-annotations.py --check java
 

.github/workflows/check-overlay-annotations.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 2
 

.github/workflows/check-qldoc.yml

@@ -19,6 +19,6 @@ jobs:
     name: Check query IDs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check for duplicate query IDs
         run: python3 misc/scripts/check-query-ids.py