Merge remote-tracking branch 'origin/michaelrfairhurst/implement-package-preprocessor' into implement-package-preprocessor2

Author: MichaelRFairhurst

.github/workflows/code-scanning-pack-gen.yml

@@ -1,4 +1,6 @@
 name: Code Scanning Query Pack Generation
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -26,7 +28,7 @@ jobs:
       matrix: ${{ steps.export-code-scanning-pack-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Export Code Scanning pack matrix
         id: export-code-scanning-pack-matrix
         run: |
@@ -42,11 +44,11 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Cache CodeQL
         id: cache-codeql
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ github.workspace }}/codeql_home
           key: codeql-home-${{ matrix.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library }}
@@ -82,7 +84,7 @@ jobs:
         id: checkout-external-help-files
         # PRs from forks and dependabot do not have access to an appropriate token for cloning the help files repos
         if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ssh-key: ${{ secrets.CODEQL_CODING_STANDARDS_HELP_KEY }}
           repository: "github/codeql-coding-standards-help"
@@ -109,7 +111,7 @@ jobs:
           zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/configuration codeql-coding-standards/scripts/reports codeql-coding-standards/scripts/shared codeql-coding-standards/scripts/guideline_recategorization codeql-coding-standards/schemas
 
       - name: Upload GHAS Query Pack
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: code-scanning-cpp-query-pack.zip
           path: code-scanning-cpp-query-pack.zip
@@ -130,7 +132,7 @@ jobs:
           codeql pack bundle --output=report-coding-standards.tgz cpp/report/src
 
       - name: Upload qlpack bundles
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coding-standards-codeql-packs
           path: '*-coding-standards.tgz'

.github/workflows/codeql_unit_tests.yml

@@ -1,4 +1,6 @@
 name: CodeQL Unit Testing
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -23,7 +25,7 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Export unit test matrix
         id: export-unit-test-matrix
@@ -45,10 +47,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -57,7 +59,7 @@ jobs:
 
       - name: Cache CodeQL
         id: cache-codeql
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           # A list of files, directories, and wildcard patterns to cache and restore
           path: ${{github.workspace}}/codeql_home
@@ -151,7 +153,7 @@ jobs:
               file.close()
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: ${{ matrix.language }}-test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -166,12 +168,12 @@ jobs:
     steps:
       - name: Check if run-test-suites job failed to complete, if so fail
         if: ${{ needs.run-test-suites.result == 'failure' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             core.setFailed('Test run job failed')
       - name: Collect test results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v6
 
       - name: Validate test results
         run: |

.github/workflows/dispatch-matrix-test-on-comment.yml

@@ -1,4 +1,8 @@
 name: 🤖 Run Matrix Check (On Comment)
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
 
 on:
   issue_comment:
@@ -9,7 +13,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check permission
         id: check-write-permission
@@ -40,7 +44,7 @@ jobs:
           --json \
             -R github/codeql-coding-standards-release-engineering
 
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |

.github/workflows/dispatch-release-performance-check.yml

@@ -1,4 +1,8 @@
 name: 🏁 Run Release Performance Check
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
 
 on:
   issue_comment:
@@ -9,7 +13,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check permission
         id: check-write-permission
@@ -40,7 +44,7 @@ jobs:
           --json \
           -R github/codeql-coding-standards-release-engineering
 
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v8
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |

.github/workflows/extra-rule-validation.yml

@@ -1,4 +1,6 @@
 name: ⚙️ Extra Rule Validation
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -21,7 +23,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check Rules 
         shell: pwsh
@@ -33,7 +35,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Ensure CPP Shared Rules Have Valid Structure  
         shell: pwsh
@@ -44,13 +46,13 @@ jobs:
         run: scripts/util/Test-SharedImplementationsHaveTestCases.ps1 -Language c -CIMode
 
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: failure()
         with:
           name: missing-test-report.csv
           path: MissingTestReport*.csv
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         if: failure()
         with:
           name: test-report.csv

.github/workflows/finalize-release.yml

@@ -1,4 +1,9 @@
 name: Finalize Release
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
 on:
   pull_request:
     types:
@@ -39,20 +44,20 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ env.REF }}
           fetch-depth: 0
           path: release 
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ env.TOOL_REF }}
           path: tooling 
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 

.github/workflows/generate-html-docs.yml

@@ -1,4 +1,6 @@
 name: Generate HTML documentation
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -20,10 +22,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -35,7 +37,7 @@ jobs:
           python scripts/documentation/generate_iso26262_docs.py coding-standards-html-docs
 
       - name: Upload HTML documentation
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coding-standards-docs-${{ github.sha }}
           path: coding-standards-html-docs/

.github/workflows/prepare-release.yml

@@ -34,12 +34,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ inputs.ref }}
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 

.github/workflows/standard_library_upgrade_tests.yml

@@ -1,4 +1,6 @@
 name: CodeQL Standard Library Upgrade tests
+permissions:
+  contents: read
 
 # Run this workflow every time the "supported_codeql_configs.json" file is changed
 on:
@@ -19,7 +21,7 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Export unit test matrix
         id: export-unit-test-matrix
@@ -41,16 +43,16 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 
       - name: Cache CodeQL
         id: cache-codeql
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           # A list of files, directories, and wildcard patterns to cache and restore
           path: ${{github.workspace}}/codeql_home
@@ -143,7 +145,7 @@ jobs:
               }, test_summary_file)
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: test-results-${{runner.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library_ident}}
           path: |
@@ -157,12 +159,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
       - name: Collect test results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v6
 
       - name: Validate test results
         shell: python