Upgrade CodeQL CLI dependency to v2.25.3

.codeql-version

@@ -1 +1 @@
-v2.25.2
+v2.25.3

.github/workflows/update-codeql.yml

@@ -102,17 +102,81 @@ jobs:
           fi
 
   # ─────────────────────────────────────────────────────────────────────────────
-  # Step 2: Update version, build, test, and create PR
+  # Step 2: Check whether the upgrade branch already exists
+  #
+  # When this workflow runs on its nightly cron schedule and an upgrade PR has
+  # already been opened for the target version, re-running `create-pr` would
+  # force-push over the existing branch and silently discard any review
+  # commits already made on top of the bot's initial push (e.g., manual fixes
+  # to upgrade-packs.sh output or reviewer follow-ups). This job short-circuits
+  # subsequent work in that case so the existing branch is preserved.
+  #
+  # The branch check is skipped on `workflow_dispatch` so a maintainer can
+  # always re-run the upgrade pipeline on demand to re-create the branch.
+  # ─────────────────────────────────────────────────────────────────────────────
+  check-existing-branch:
+    name: Check for Existing Upgrade Branch
+    needs: detect-update
+    if: needs.detect-update.outputs.update_needed == 'true'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    outputs:
+      branch_exists: ${{ steps.check-branch.outputs.branch_exists }}
+
+    steps:
+      - name: Check - Look up upgrade branch on origin
+        id: check-branch
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          if [ "${EVENT_NAME}" = "workflow_dispatch" ]; then
+            echo "ℹ️ Manual dispatch — skipping existing-branch check."
+            echo "branch_exists=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "Checking whether branch '${BRANCH}' exists on ${GITHUB_REPOSITORY}..."
+          if gh api "repos/${GITHUB_REPOSITORY}/branches/${BRANCH}" \
+              --silent > /dev/null 2>&1; then
+            echo "✅ Branch '${BRANCH}' already exists — skipping update to preserve manual edits."
+            echo "branch_exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "ℹ️ Branch '${BRANCH}' does not exist — proceeding with update."
+            echo "branch_exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Check - Summary
+        env:
+          BRANCH: 'codeql/upgrade-to-${{ needs.detect-update.outputs.version }}'
+        run: |
+          echo "## Upgrade Branch Preflight" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.check-branch.outputs.branch_exists }}" = "true" ]; then
+            echo "⏭️ Branch \`${BRANCH}\` already exists — skipping the rest of the pipeline to preserve any manual edits or review commits on it." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Trigger this workflow manually via \`workflow_dispatch\` to force a refresh." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "▶️ Branch \`${BRANCH}\` does not exist — proceeding with the update pipeline." >> $GITHUB_STEP_SUMMARY
+          fi
+
+  # ─────────────────────────────────────────────────────────────────────────────
+  # Step 3: Update version, build, test, and create PR
   #
   # Updates all version-bearing files, installs dependencies, runs the full
   # build-and-test suite, and creates a pull request with the changes.
   # ─────────────────────────────────────────────────────────────────────────────
   create-pr:
     name: Create Update Pull Request
-    needs: detect-update
-    if: needs.detect-update.outputs.update_needed == 'true'
+    needs: [detect-update, check-existing-branch]
+    if: |
+      needs.detect-update.outputs.update_needed == 'true' &&
+      needs.check-existing-branch.outputs.branch_exists != 'true'
     runs-on: ubuntu-latest
-
     permissions:
       contents: write
       pull-requests: write

client/integration-tests/primitives/tools/codeql_bqrs_interpret/sarif_format/after/results.sarif

@@ -1 +1 @@
-{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.25.2","rules":[{"id":"test/query","name":"test/query","shortDescription":{"text":"ExampleQuery1"},"fullDescription":{"text":"Example query for integration testing of the codeql_test_extract MCP server tool."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n","markdown":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n"},"properties":{"tags":["mcp-integration-tests"],"description":"Example query for integration testing of the codeql_test_extract MCP server tool.","id":"test/query","kind":"problem","name":"ExampleQuery1","precision":"medium","problem.severity":"warning"}}]},"extensions":[{"name":"mcp-client-integration-tests-static-javascript-src","semanticVersion":"0.0.1+fe0e7d2a7059ebb6c6075ff8eaea04f382747656","locations":[{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.11+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.31+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"artifacts":[{"location":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}],"results":[{"ruleId":"test/query","ruleIndex":0,"rule":{"id":"test/query","index":0},"message":{"text":"Example test code file found for codeql_test_extract example query."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest"}}]}
+{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.25.3","rules":[{"id":"test/query","name":"test/query","shortDescription":{"text":"ExampleQuery1"},"fullDescription":{"text":"Example query for integration testing of the codeql_test_extract MCP server tool."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n","markdown":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n"},"properties":{"tags":["mcp-integration-tests"],"description":"Example query for integration testing of the codeql_test_extract MCP server tool.","id":"test/query","kind":"problem","name":"ExampleQuery1","precision":"medium","problem.severity":"warning"}}]},"extensions":[{"name":"mcp-client-integration-tests-static-javascript-src","semanticVersion":"0.0.1+fe0e7d2a7059ebb6c6075ff8eaea04f382747656","locations":[{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.11+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.31+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"artifacts":[{"location":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}],"results":[{"ruleId":"test/query","ruleIndex":0,"rule":{"id":"test/query","index":0},"message":{"text":"Example test code file found for codeql_test_extract example query."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest"}}]}

extensions/vscode/package.json

@@ -2,7 +2,7 @@
   "name": "vscode-codeql-development-mcp-server",
   "displayName": "CodeQL Development MCP Server",
   "description": "LLM-assisted development of CodeQL queries, libraries, and tests via #ql-mcp prompts, resources, and tools.",
-  "version": "2.25.2",
+  "version": "2.25.3",
   "publisher": "advanced-security",
   "license": "LicenseRef-CodeQL-Terms",
   "icon": "media/codeql-icon.png",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server_repo",
-  "version": "2.25.2",
+  "version": "2.25.3",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "private": true,
   "type": "module",

server/dist/codeql-development-mcp-server.js

@@ -201540,7 +201540,7 @@ init_package_paths();
 init_logger();
 import_dotenv.default.config({ path: resolve14(packageRootDir, ".env"), quiet: true });
 var PACKAGE_NAME = "codeql-development-mcp-server";
-var VERSION = "2.25.2";
+var VERSION = "2.25.3";
 async function startServer(mode = "stdio") {
   logger.info(`Starting CodeQL Development MCP McpServer v${VERSION} in ${mode} mode`);
   const codeqlBinary = resolveCodeQLBinary();

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server",
-  "version": "2.25.2",
+  "version": "2.25.3",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "main": "dist/codeql-development-mcp-server.js",
   "type": "module",

server/ql/actions/tools/src/codeql-pack.lock.yml

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/actions-all:
-    version: 0.4.32
+    version: 0.4.34
   codeql/concepts:
-    version: 0.0.20
+    version: 0.0.22
   codeql/controlflow:
-    version: 2.0.30
+    version: 2.0.32
   codeql/dataflow:
-    version: 2.1.2
+    version: 2.1.4
   codeql/javascript-all:
-    version: 2.6.26
+    version: 2.6.28
   codeql/mad:
-    version: 1.0.46
+    version: 1.0.48
   codeql/regex:
-    version: 1.0.46
+    version: 1.0.48
   codeql/ssa:
-    version: 2.0.22
+    version: 2.0.24
   codeql/threat-models:
-    version: 1.0.46
+    version: 1.0.48
   codeql/tutorial:
-    version: 1.0.46
+    version: 1.0.48
   codeql/typetracking:
-    version: 2.0.30
+    version: 2.0.32
   codeql/util:
-    version: 2.0.33
+    version: 2.0.35
   codeql/xml:
-    version: 1.0.46
+    version: 1.0.48
   codeql/yaml:
-    version: 1.0.46
+    version: 1.0.48
 compiled: false

server/ql/actions/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-actions-tools-src
-version: 2.25.2
+version: 2.25.3
 description: 'Queries for codeql-development-mcp-server tools for actions language'
 library: false
 dependencies:
-  codeql/actions-all: 0.4.32
+  codeql/actions-all: 0.4.34

server/ql/actions/tools/test/codeql-pack.lock.yml

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/actions-all:
-    version: 0.4.32
+    version: 0.4.34
   codeql/concepts:
-    version: 0.0.20
+    version: 0.0.22
   codeql/controlflow:
-    version: 2.0.30
+    version: 2.0.32
   codeql/dataflow:
-    version: 2.1.2
+    version: 2.1.4
   codeql/javascript-all:
-    version: 2.6.26
+    version: 2.6.28
   codeql/mad:
-    version: 1.0.46
+    version: 1.0.48
   codeql/regex:
-    version: 1.0.46
+    version: 1.0.48
   codeql/ssa:
-    version: 2.0.22
+    version: 2.0.24
   codeql/threat-models:
-    version: 1.0.46
+    version: 1.0.48
   codeql/tutorial:
-    version: 1.0.46
+    version: 1.0.48
   codeql/typetracking:
-    version: 2.0.30
+    version: 2.0.32
   codeql/util:
-    version: 2.0.33
+    version: 2.0.35
   codeql/xml:
-    version: 1.0.46
+    version: 1.0.48
   codeql/yaml:
-    version: 1.0.46
+    version: 1.0.48
 compiled: false

server/ql/actions/tools/test/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-actions-tools-test
-version: 2.25.2
+version: 2.25.3
 dependencies:
   advanced-security/ql-mcp-actions-tools-src: ${workspace}
 extractor: actions