Prep for v2.24.1 release

[data-douser]

Summary of Changes

This PR:

• upgrades the codeql CLI dependency to v2.24.1 and updates this repo's release version to match;
• introduces a new JavaScript XSS taint-tracking workshop -- inspired by a production SAP UI5 XSS query -- as an extra level of validation and integration testing for codeql_lsp_* tools;
• refines instructions for prompt files, updates agent model versions, and improves configuration and setup scripts.

The most important changes are grouped below by theme.

Outline of Changes

Workshop creation and structure

• Added a comprehensive workshop in .github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss for teaching XSS detection using taint-tracking, including a detailed README.md covering exercises, test structure, learning path, and relation to the production query.
• Introduced exercise and solution test files (exercises-tests/Exercise1/test.js, exercises-tests/Exercise2/test.js) and .qlref files to support stepwise learning and validation. [1] [2] [3] [4]
• Added a shell script (build-databases.sh) for automated test database creation for both exercises and solutions.
• Created a workspace configuration file (codeql-workspace.yml) for pack provisioning.

Prompt instructions and documentation updates

• Renamed and updated .github/instructions/prompts.instructions.md to .github/instructions/github_prompts.instructions.md, clarifying YAML front-matter requirements and narrowing scope to .github/prompts/*.prompt.md files. [1] [2]
• Added .github/instructions/server_src_prompts_md.instructions.md with explicit requirements, preferences, and constraints for workflow prompts in server/src/prompts/.
• Updated the model for the validate-ql-mcp-server-tools-via-workshop.prompt.md prompt to Claude Opus 4.6 (copilot).

Tooling and version updates

• Bumped .codeql-version from v2.24.0 to v2.24.1 for improved compatibility and features.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@eslint/js	^10.0.1	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 18/27 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/eslint	^10.0.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 18/27 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/@eslint/config-array	0.23.1	Unknown	Unknown
npm/@eslint/config-helpers	0.5.2	Unknown	Unknown
npm/@eslint/core	1.1.0	Unknown	Unknown
npm/@eslint/js	10.0.1	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 18/27 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/@eslint/object-schema	3.0.1	Unknown	Unknown
npm/@eslint/plugin-kit	0.6.0	Unknown	Unknown
npm/@isaacs/balanced-match	4.0.1	Unknown	Unknown
npm/@isaacs/brace-expansion	5.0.1	Unknown	Unknown
npm/@types/esrecurse	4.3.1	🟢 6.9	Details Check Score Reason Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/@typescript-eslint/eslint-plugin	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/parser	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/project-service	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/scope-manager	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/tsconfig-utils	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/type-utils	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/types	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/typescript-estree	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/utils	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/visitor-keys	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/client	2.24.1	Unknown	Unknown
npm/eslint	10.0.0	🟢 6.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 6 Found 18/27 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/eslint-scope	9.1.0	Unknown	Unknown
npm/eslint-visitor-keys	5.0.0	Unknown	Unknown
npm/espree	11.1.0	Unknown	Unknown
npm/minimatch	10.1.2	🟢 4.9	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Code-Review ⚠️ 1 Found 4/28 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/server	2.24.1	🟢 3.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 4/30 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/typescript-eslint	8.55.0	🟢 5.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 16/18 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 16 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/release.yml
• client/package.json
• package-lock.json

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[Copilot]

Pull request overview

Prepares the repository for the v2.24.1 release by bumping CLI/package/tool-pack versions, updating release automation, and strengthening prompt/workflow documentation and tests (including a new example workshop).

Changes:

• Bump versions to 2.24.1 across .codeql-version, package.json files, server version constants, and QL tool packs (plus lockfiles).
• Improve release workflow to support workflow_dispatch tag-based releases and to use the repo’s local CodeQL environment setup action.
• Expand workflow prompt tests and update prompt markdown guidance/content, plus add a new end-to-end workshop example under .github/skills/....

Reviewed changes

Copilot reviewed 107 out of 115 changed files in this pull request and generated 82 comments.

Show a summary per file

File	Description
server/test/src/prompts/workflow-prompts.test.ts	Adds extensive schema/handler validation coverage for workflow prompts.
server/src/prompts/workshop-creation-workflow.prompt.md	Enhances workshop prompt guidance (adds iterative LSP workflow/tool references).
server/src/prompts/tools-query-workflow.prompt.md	Adds explicit post-AST-analysis guidance for LSP tools (0-based positions, workspace root).
server/src/prompts/sarif-rank-true-positives.prompt.md	Updates frontmatter format (agent: agent).
server/src/prompts/sarif-rank-false-positives.prompt.md	Updates frontmatter format (agent: agent).
server/src/prompts/ql-tdd-basic.prompt.md	Improves LSP tool parameter guidance and common pitfalls.
server/src/prompts/ql-tdd-advanced.prompt.md	Clarifies finder vs LSP position bases and workspace path expectations.
server/src/prompts/ql-lsp-iterative-development.prompt.md	Expands iterative LSP workflow prompt with concrete tool-call patterns and examples.
server/src/prompts/explain-codeql-query.prompt.md	Updates frontmatter and clarifies quick-evaluate flow using position finders.
server/src/prompts/document-codeql-query.prompt.md	Updates frontmatter and adds LSP-based type exploration step.
server/src/codeql-development-mcp-server.ts	Bumps server VERSION constant to 2.24.1.
server/ql/swift/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/swift/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/swift/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/swift-all dependency.
server/ql/swift/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/ruby/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/ruby/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/ruby/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/ruby-all dependency.
server/ql/ruby/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/python/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/python/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/python/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/python-all dependency.
server/ql/python/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/javascript/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/javascript/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/javascript/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/javascript-all dependency.
server/ql/javascript/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/java/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/java/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/java/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/java-all dependency.
server/ql/java/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/go/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/go/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/go/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/go-all dependency.
server/ql/go/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/csharp/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/csharp/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/csharp/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/csharp-all dependency.
server/ql/csharp/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/cpp/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/cpp/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/cpp/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/cpp-all dependency.
server/ql/cpp/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/actions/tools/test/codeql-pack.yml	Bumps tool-pack test version to 2.24.1.
server/ql/actions/tools/test/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/ql/actions/tools/src/codeql-pack.yml	Bumps tool-pack src version and codeql/actions-all dependency.
server/ql/actions/tools/src/codeql-pack.lock.yml	Updates pinned CodeQL pack dependency versions.
server/package.json	Bumps server package version to 2.24.1.
server/dist/codeql-development-mcp-server.js	Updates bundled output to reflect version bump.
package.json	Bumps repo version and updates upgrade:node script flags and typescript-eslint version.
package-lock.json	Updates lockfile for version bumps and dependency upgrades (incl. eslint/typescript-eslint).
docs/public.md	Updates public docs examples to 2.24.1 and updated JS pack dependency version.
client/src/lib/commands/metadata-commands.js	Preserves underlying write errors by adding { cause } to thrown errors.
client/src/lib/commands/basic-commands.js	Preserves underlying write errors by adding { cause } to thrown errors.
client/package.json	Bumps client package version and eslint dev deps.
client/integration-tests/primitives/tools/codeql_bqrs_interpret/sarif_format/after/results.sarif	Updates SARIF expected output to CodeQL 2.24.1 semanticVersion.
.prettierignore	Ignores .tmp/, query-results, and workshops output paths.
.github/workflows/release.yml	Improves tag handling for workflow_dispatch releases and switches to local CodeQL environment setup action.
.github/skills/upgrade-codeql-cli-and-packs/SKILL.md	Updates skill docs/examples to reference v2.24.1.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/tests-common/test.js	Adds shared workshop test fixture JS source.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/tests-common/codeql-pack.yml	Adds CodeQL pack metadata for shared workshop tests.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/codeql-pack.yml	Adds solutions pack metadata and JS library dependency.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/codeql-pack.lock.yml	Adds pinned dependencies for solutions pack.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/Exercise1.ql	Adds reference solution query for Exercise 1.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/Exercise2.ql	Adds reference solution query for Exercise 2.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/Exercise3.ql	Adds reference solution query for Exercise 3.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/Exercise4.ql	Adds reference solution query for Exercise 4.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions/Exercise5.ql	Adds reference solution query for Exercise 5 (path-problem).
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/codeql-pack.yml	Adds pack metadata for solution tests.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/codeql-pack.lock.yml	Adds pinned dependencies for solution tests pack.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise1/test.js	Adds solution test source fixture for Exercise 1.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise1/Exercise1.qlref	Adds qlref for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise1/Exercise1.expected	Adds expected output baseline for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise2/test.js	Adds solution test source fixture for Exercise 2.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise2/Exercise2.qlref	Adds qlref for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise2/Exercise2.expected	Adds expected output baseline for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise3/test.js	Adds solution test source fixture for Exercise 3.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise3/Exercise3.qlref	Adds qlref for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise3/Exercise3.expected	Adds expected output baseline for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise4/test.js	Adds solution test source fixture for Exercise 4.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise4/Exercise4.qlref	Adds qlref for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise4/Exercise4.expected	Adds expected output baseline for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise5/test.js	Adds solution test source fixture for Exercise 5.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise5/Exercise5.qlref	Adds qlref for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/solutions-tests/Exercise5/Exercise5.expected	Adds expected output baseline for solution test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises/codeql-pack.yml	Adds exercises pack metadata and JS library dependency.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises/Exercise1.ql	Adds stub exercise query for trainees.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises/Exercise2.ql	Adds stub exercise query for trainees.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises/Exercise3.ql	Adds stub exercise query for trainees.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises/Exercise4.ql	Adds stub exercise query for trainees.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises/Exercise5.ql	Adds stub exercise query for trainees.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/codeql-pack.yml	Adds pack metadata for exercise tests.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise1/test.js	Adds exercise test fixture for Exercise 1.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise1/Exercise1.qlref	Adds qlref for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise1/Exercise1.expected	Adds (currently empty) expected baseline placeholder for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise2/test.js	Adds exercise test fixture for Exercise 2.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise2/Exercise2.qlref	Adds qlref for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise2/Exercise2.expected	Adds (currently empty) expected baseline placeholder for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise3/test.js	Adds exercise test fixture for Exercise 3.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise3/Exercise3.qlref	Adds qlref for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise3/Exercise3.expected	Adds (currently empty) expected baseline placeholder for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise4/test.js	Adds exercise test fixture for Exercise 4.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise4/Exercise4.qlref	Adds qlref for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise4/Exercise4.expected	Adds (currently empty) expected baseline placeholder for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise5/test.js	Adds exercise test fixture for Exercise 5.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise5/Exercise5.qlref	Adds qlref for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/exercises-tests/Exercise5/Exercise5.expected	Adds (currently empty) expected baseline placeholder for exercise test.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/codeql-workspace.yml	Adds a workspace file to surface packs for CodeQL tooling.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/build-databases.sh	Adds helper script to build .testproj databases for the workshop.
.github/skills/create-codeql-query-development-workshop/examples/codeql-sap-js-ui5-xss/README.md	Adds full workshop documentation and guidance for running/learning exercises.
.github/prompts/validate-ql-mcp-server-tools-via-workshop.prompt.md	Updates prompt metadata (model string).
.github/instructions/server_src_prompts_md.instructions.md	Adds repo guidance for server/src/prompts/*.prompt.md authoring conventions.
.github/instructions/github_prompts.instructions.md	Narrows scope and updates frontmatter expectations for .github/prompts/*.prompt.md.
.codeql-version	Bumps CodeQL CLI version to v2.24.1.

Comments suppressed due to low confidence (2)

server/test/src/prompts/workflow-prompts.test.ts:877

• This blank line contains trailing whitespace. Please remove the extra spaces to keep the file clean and avoid whitespace-related lint/format failures.
  .github/workflows/release.yml:35
• fetch-tags: true alone may still leave the checkout shallow (default fetch-depth: 1), which can prevent git checkout refs/tags/<tag> from working for tags not pointing at the initially fetched commit. Consider setting fetch-depth: 0 (or otherwise ensuring the tag’s commit object is fetched) to make workflow_dispatch tag checkouts reliable.

[data-douser]

@copilot create a new pull request to make further improvements to the .github/workflows/release.yml actions workflow such that the specified "v*" tag (ref) is created by the release workflow if the tag does not already exist. This is to avoid workflow run errors like below for the example "v2.24.1-alpha" tag:

Run # For workflow_dispatch, we need to checkout the specific tag
Error: Tag 'v2.24.1-alpha' does not exist. Create the tag first before running this workflow.
Error: Process completed with exit code 1.

[Copilot]

@data-douser I've opened a new pull request, #39, to work on those changes. Once the pull request is ready, I'll request review from you.

[data-douser]

LGTM

[data-douser]

Code scanning failures are from .github/skills/** files that should have been ignored by paths-ignore config in .github/codeql/codeql-config.yml.

[Copilot]

Pull request overview

Copilot reviewed 110 out of 118 changed files in this pull request and generated 6 comments.

[enyil]

LGTM!

[Copilot]

Pull request overview

Copilot reviewed 111 out of 119 changed files in this pull request and generated 7 comments.

[data-douser]

@copilot open a new pull request to apply changes for unresolved comments in this thread

[Copilot]

@data-douser I've opened a new pull request, #43, to work on those changes. Once the pull request is ready, I'll request review from you.