github
diff --git a/‎CODEOWNERS‎
Lines changed: 1 addition & 5 deletions b/‎CODEOWNERS‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎actions/ql/lib/CHANGELOG.md‎
Lines changed: 1 addition & 1 deletion b/‎actions/ql/lib/CHANGELOG.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md‎
Lines changed: 4 additions & 0 deletions b/‎actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎actions/ql/lib/change-notes/released/0.4.37.md‎
Lines changed: 1 addition & 1 deletion b/‎actions/ql/lib/change-notes/released/0.4.37.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎actions/ql/lib/codeql/actions/ast/internal/Ast.qll‎
Lines changed: 2 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/ast/internal/Ast.qll‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/ast/internal/Yaml.qll‎
Lines changed: 6 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/ast/internal/Yaml.qll‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll‎
Lines changed: 6 additions & 4 deletions b/‎actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎actions/ql/src/CHANGELOG.md‎
Lines changed: 1 addition & 1 deletion b/‎actions/ql/src/CHANGELOG.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql‎
Lines changed: 5 additions & 5 deletions b/‎actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md‎
Lines changed: 4 additions & 0 deletions b/‎actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md‎
Lines changed: 4 additions & 0 deletions
@@ -2,7 +2,7 @@
 * @github/code-scanning-alert-coverage
 
 # CodeQL language libraries
-/actions/ @github/codeql-dynamic
+/actions/ @github/code-scanning-alert-coverage
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
 /csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
@@ -59,9 +59,5 @@ MODULE.bazel @github/codeql-ci-reviewers
 /.github/workflows/rust.yml @github/codeql-rust
 /.github/workflows/swift.yml @github/codeql-swift
 
-# Misc
-/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
-/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
-
 # .devcontainer
 /.devcontainer/ @github/codeql-ci-reviewers
@@ -2,7 +2,7 @@
 
 ### Minor Analysis Improvements
 
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
 
 ## 0.4.36
 
 
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
@@ -2,4 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
@@ -1920,3 +1920,5 @@ private YamlMappingLikeNode resolveMatrixAccessPath(
     else result = resolveMatrixAccessPath(newRoot, rest)
   )
 }
+
+class Comment = YamlComment;
@@ -52,6 +52,12 @@ private module YamlSig implements LibYaml::InputSig {
   class ParseErrorBase extends LocatableBase, @yaml_error {
     string getMessage() { yaml_errors(this, result) }
   }
+
+  class CommentBase extends LocatableBase, @yaml_comment {
+    string getText() { yaml_comments(this, result, _) }
+
+    override string toString() { yaml_comments(this, _, result) }
+  }
 }
 
 import LibYaml::Make<YamlSig>
@@ -2,10 +2,12 @@ import actions
 
 bindingset[runner]
 predicate isGithubHostedRunner(string runner) {
-  // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
-  runner
-      .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
+  // The list of github hosted repos:
+  // https://github.com/actions/runner-images/blob/main/README.md#available-images
+  // https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
+  runner.toLowerCase().regexpMatch("^ubuntu-([0-9.]+|latest|slim)(-arm)?$") or
+  runner.toLowerCase().regexpMatch("^macos-([0-9]+|latest)(-x?large|-intel)?$") or
+  runner.toLowerCase().regexpMatch("^windows-([0-9.]+|latest)(-vs[0-9.]+)?(-arm)?$")
 }
 
 bindingset[runner]
 
@@ -15,7 +15,7 @@
 
 ### Bug Fixes
 
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
 
 ## 0.6.28
 
 
@@ -1,8 +1,8 @@
 /**
- * @name Checkout of untrusted code in a trusted context
- * @description Privileged workflows have read/write access to the base repository and access to secrets.
- *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
- *              that is able to push to the base repository and to access secrets.
+ * @name Checkout of untrusted code in a non-privileged context
+ * @description Checking out and running the build script from a fork executes untrusted code. Even in a
+ *              non-privileged workflow, this can be abused, for example to compromise self-hosted runners
+ *              or to poison caches and artifacts that are later consumed by privileged workflows.
  * @kind problem
  * @problem.severity warning
  * @precision medium
@@ -20,4 +20,4 @@ from PRHeadCheckoutStep checkout
 where
   // the checkout occurs in a non-privileged context
   inNonPrivilegedContext(checkout)
-select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow."
+select checkout, "Potential unsafe checkout of untrusted pull request on non-privileged workflow."
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@`
`2`	`2`
`3`	`3`	`### Minor Analysis Improvements`
`4`	`4`
`5`		-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
	`5`	+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
Original file line number	Diff line number	Diff line change
`@@ -1920,3 +1920,5 @@ private YamlMappingLikeNode resolveMatrixAccessPath(`
`1920`	`1920`	`else result = resolveMatrixAccessPath(newRoot, rest)`
`1921`	`1921`	`)`
`1922`	`1922`	`}`
	`1923`	`+`
	`1924`	`+class Comment = YamlComment;`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,12 @@ private module YamlSig implements LibYaml::InputSig {`
`52`	`52`	`class ParseErrorBase extends LocatableBase, @yaml_error {`
`53`	`53`	`string getMessage() { yaml_errors(this, result) }`
`54`	`54`	`}`
	`55`	`+`
	`56`	`+ class CommentBase extends LocatableBase, @yaml_comment {`
	`57`	`+ string getText() { yaml_comments(this, result, _) }`
	`58`	`+`
	`59`	`+ override string toString() { yaml_comments(this, _, result) }`
	`60`	`+ }`
`55`	`61`	`}`
`56`	`62`
`57`	`63`	`import LibYaml::Make<YamlSig>`