github
diff --git a/‎.github/workflows/compile-queries.yml‎
Lines changed: 37 additions & 5 deletions b/‎.github/workflows/compile-queries.yml‎
Lines changed: 37 additions & 5 deletions
diff --git a/‎.github/workflows/ql-for-ql-build.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/ql-for-ql-build.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/ql-for-ql-tests.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/ql-for-ql-tests.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/examples/codeql-pack.lock.yml‎
Lines changed: 4 additions & 0 deletions b/‎actions/ql/examples/codeql-pack.lock.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎actions/ql/examples/qlpack.yml‎
Lines changed: 7 additions & 0 deletions b/‎actions/ql/examples/qlpack.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎actions/ql/examples/snippets/uses_pinned_sha.ql‎
Lines changed: 12 additions & 0 deletions b/‎actions/ql/examples/snippets/uses_pinned_sha.ql‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎actions/ql/lib/CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions b/‎actions/ql/lib/CHANGELOG.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎actions/ql/lib/change-notes/released/0.4.25.md‎
Lines changed: 3 additions & 0 deletions b/‎actions/ql/lib/change-notes/released/0.4.25.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎…28-fix-code-injection-alert-filtering.md‎ ‎…s/ql/lib/change-notes/released/0.4.26.md‎actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md renamed to actions/ql/lib/change-notes/released/0.4.26.md
Lines changed: 4 additions & 3 deletions b/‎…28-fix-code-injection-alert-filtering.md‎ ‎…s/ql/lib/change-notes/released/0.4.26.md‎actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md renamed to actions/ql/lib/change-notes/released/0.4.26.md
Lines changed: 4 additions & 3 deletions
diff --git a/‎actions/ql/lib/codeql-pack.release.yml‎
Lines changed: 1 addition & 1 deletion b/‎actions/ql/lib/codeql-pack.release.yml‎
Lines changed: 1 addition & 1 deletion
@@ -17,9 +17,41 @@ permissions:
   contents: read
 
 jobs:
-  compile-queries:
+  detect-changes:
     if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest
+    outputs:
+      languages: ${{ steps.detect.outputs.languages }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Detect changed languages
+        id: detect
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            # For PRs, detect which languages have changes
+            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
+            languages=()
+            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
+              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
+                languages+=("$lang")
+              fi
+            done
+            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
+          else
+            # For pushes to main/rc branches, run all languages
+            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  compile-queries:
+    needs: detect-changes
+    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
     runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
 
     steps:
       - uses: actions/checkout@v5
@@ -31,16 +63,16 @@ jobs:
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
         with: 
-          key: all-queries
+          key: ${{ matrix.language }}-queries
       - name: check formatting
-        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
@@ -27,6 +27,7 @@ jobs:
         uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
+          tools: nightly
       - uses: ./.github/actions/os-version
         id: os_version
       ### Build the extractor ###
 
@@ -30,6 +30,7 @@ jobs:
         uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
+          tools: nightly
       - uses: ./.github/actions/os-version
         id: os_version
       - uses: actions/cache@v3
@@ -75,6 +76,7 @@ jobs:
         uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
+          tools: nightly
       - uses: ./.github/actions/os-version
         id: os_version
       - uses: actions/cache@v3
 
@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false
@@ -0,0 +1,7 @@
+name: codeql/actions-examples
+groups:
+  - actions
+  - examples
+dependencies:
+  codeql/actions-all: ${workspace}
+warnOnImplicitThis: true
@@ -0,0 +1,12 @@
+/**
+ * @name Uses step with pinned SHA
+ * @description Finds 'uses' steps where the version is a pinned SHA.
+ * @id actions/examples/uses-pinned-sha
+ * @tags example
+ */
+
+import actions
+
+from UsesStep uses
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
+select uses, "This 'uses' step has a pinned SHA version."
@@ -1,3 +1,13 @@
+## 0.4.26
+
+### Major Analysis Improvements
+
+* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
+
+## 0.4.25
+
+No user-facing changes.
+
 ## 0.4.24
 
 No user-facing changes.
 
@@ -0,0 +1,3 @@
+## 0.4.25
+
+No user-facing changes.
@@ -1,4 +1,5 @@
----
-category: majorAnalysis
----
+## 0.4.26
+
+### Major Analysis Improvements
+
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.24
+lastReleaseVersion: 0.4.26
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## 0.4.25`
	`2`	`+`
	`3`	`+No user-facing changes.`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`---`
`2`		`-lastReleaseVersion: 0.4.24`
	`2`	`+lastReleaseVersion: 0.4.26`