ci: supply chain hardening for .github/workflows/**

- Add `--ignore-scripts` to all CI `npm ci`/`npm install` invocations and
  set `ignore-scripts=true` in `.npmrc` so install-time scripts from
  transitive dependencies cannot run during PR builds.
- Pin `@types/vscode` in Dependabot config and in the root `upgrade:node`
  script's `--reject` list so it cannot be auto-upgraded past the
  `engines.vscode` floor.
- Add a two-workflow handoff to rebuild `server/dist/**` for Dependabot
  PRs without granting write tokens to untrusted PR code:
    * `build-server.yml` (pull_request, read-only) uploads the built
      `server/dist` artifact and skips the drift check for Dependabot.
    * `dependabot-commit-dist.yml` (workflow_run, trusted, contents:write)
      downloads the artifact, verifies the head SHA, and commits the
      rebuilt files back to the PR branch as `dependabot[bot]`.
- Remove unused `workflow_dispatch:` triggers from workflows that have
  no inputs (lint-and-format, client-integration-tests, query-unit-tests,
  query-unit-tests-swift, copilot-setup-steps); keep it on `release.yml`
  and `update-codeql.yml` (the latter has a meaningful `target_version`
  input).
- Update the add-language skill's `SKILL.md` and `workflow-template.yml`
  to match: drop `workflow_dispatch:`, pin actions to SHAs, and use
  `npm ci --ignore-scripts`.

Author: data-douser

.github/skills/add-mcp-support-for-new-language/SKILL.md

@@ -273,7 +273,6 @@ on:
     branches: ['main']
     paths:
       # Same as above
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -284,12 +283,12 @@ jobs:
     runs-on: {os}-latest  # e.g., macos-latest, windows-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
-      - run: npm ci --workspaces
+      - run: npm ci --workspaces --ignore-scripts
       - uses: ./.github/actions/setup-codeql-environment
         with:
           install-language-runtimes: false

.github/skills/add-mcp-support-for-new-language/workflow-template.yml

@@ -28,7 +28,6 @@ on:
       - 'server/scripts/extract-test-databases.sh'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 # Prevent duplicate runs from push + PR on the same branch
 concurrency:

.github/workflows/build-and-test-extension.yml

@@ -19,7 +19,6 @@ on:
       - 'server/dist/**'
       - 'server/ql/*/tools/src/**'
       - 'server/src/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -40,7 +39,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: Build server (dependency)
         run: npm run build -w server

.github/workflows/build-server.yml

@@ -13,7 +13,6 @@ on:
       - '.github/workflows/build-server.yml'
       - '.node-version'
       - 'server/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -38,7 +37,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Build Server - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
         working-directory: .
 
       - name: Build Server - Clean previous build
@@ -50,7 +49,21 @@ jobs:
       - name: Build Server - Bundle application
         run: npm run bundle
 
+      ## Consumed by dependabot-commit-dist.yml via workflow_run.
+      - name: Build Server - Upload server/dist artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: server-dist
+          path: |
+            server/dist/codeql-development-mcp-server.js
+            server/dist/codeql-development-mcp-server.js.map
+          if-no-files-found: error
+          retention-days: 7
+
+      ## Skipped for Dependabot PRs: dependabot-commit-dist.yml will push the
+      ## rebuilt 'server/dist' back to the PR branch.
       - name: Build Server - Check for uncommitted changes
+        if: github.actor != 'dependabot[bot]'
         run: |
           if [ -n "$(git status --porcelain)" ]; then
             echo "❌ Uncommitted changes detected after build:"

.github/workflows/client-integration-tests.yml

@@ -19,7 +19,6 @@ on:
       - '.node-version'
       - 'client/**'
       - 'server/**'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -61,7 +60,7 @@ jobs:
         run: choco install jq -y
 
       - name: MCP Integration Tests - Install node dependencies for client and server workspaces
-        run: npm ci --workspace=client && npm ci --workspace=server
+        run: npm ci --workspace=client --ignore-scripts && npm ci --workspace=server --ignore-scripts
 
       - name: MCP Integration Tests - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment
@@ -168,7 +167,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: CODEQL_PATH Tests - Install server dependencies
-        run: npm ci --workspace=server
+        run: npm ci --workspace=server --ignore-scripts
 
       - name: CODEQL_PATH Tests - Build server bundle
         run: npm run bundle -w server

.github/workflows/copilot-setup-steps.yml

@@ -1,31 +1,26 @@
 name: 'Copilot Setup Steps'
 
 on:
-  # Allow manual testing through the repository's "Actions" tab
-  workflow_dispatch: {}
-  # Automatically run the setup steps when an associated workflow is changed.
   push:
     paths:
       - '.codeql-version'
+      - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/copilot-setup-steps.yml'
       - '.node-version'
-      - '.github/actions/setup-codeql-environment/action.yml'
       - '**/codeql-pack.yml'
       - '**/codeql-pack.lock.yml'
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/qlpack.yml'
   pull_request:
     paths:
       - '.codeql-version'
+      - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/copilot-setup-steps.yml'
       - '.node-version'
-      - '.github/actions/setup-codeql-environment/action.yml'
       - '**/codeql-pack.yml'
       - '**/codeql-pack.lock.yml'
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/qlpack.yml'
 
 jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
@@ -51,7 +46,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Copilot Setup - Install dependencies
-        run: npm ci --include=optional
+        run: npm ci --include=optional --ignore-scripts
 
       - name: Copilot Setup - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

.github/workflows/dependabot-commit-dist.yml

@@ -0,0 +1,130 @@
+name: Dependabot Commit Dist - CodeQL Development MCP Server
+
+## Auto-rebuild and commit 'server/dist/**' on Dependabot PRs.
+##
+## Two-workflow handoff: 'build-server.yml' rebuilds with no write token
+## (npm ci --ignore-scripts), uploads the 'server-dist' artifact. This
+## workflow runs in the trusted default-branch context, downloads the
+## artifact, and pushes it to the PR branch. No PR-supplied code executes
+## here.
+
+on:
+  workflow_run:
+    workflows: ['Build Server - CodeQL Development MCP Server']
+    types: [completed]
+
+permissions:
+  contents: read
+
+jobs:
+  commit-dist:
+    name: Commit Rebuilt server/dist to Dependabot PR Branch
+    runs-on: ubuntu-latest
+
+    if: >-
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.actor.login == 'dependabot[bot]'
+
+    permissions:
+      contents: write
+      actions: read
+
+    steps:
+      - name: Commit Dist - Validate workflow_run head
+        id: pr
+        env:
+          HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          if [ "${HEAD_REPO}" != "${REPO}" ]; then
+            echo "::error::Refusing to push: head repo '${HEAD_REPO}' != '${REPO}'"
+            exit 1
+          fi
+          if [ -z "${HEAD_BRANCH}" ] || [ -z "${HEAD_SHA}" ]; then
+            echo "::error::Missing head_branch or head_sha"
+            exit 1
+          fi
+          echo "branch=${HEAD_BRANCH}" >> "${GITHUB_OUTPUT}"
+          echo "sha=${HEAD_SHA}" >> "${GITHUB_OUTPUT}"
+
+      - name: Commit Dist - Checkout PR branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ steps.pr.outputs.branch }}
+          persist-credentials: true
+          fetch-depth: 1
+
+      ## Abort if the branch advanced since the build started; the next
+      ## build-server run will re-trigger this workflow.
+      - name: Commit Dist - Verify checkout matches build SHA
+        id: verify
+        env:
+          EXPECTED_SHA: ${{ steps.pr.outputs.sha }}
+        run: |
+          set -euo pipefail
+          ACTUAL_SHA="$(git rev-parse HEAD)"
+          if [ "${ACTUAL_SHA}" != "${EXPECTED_SHA}" ]; then
+            echo "::warning::Branch advanced from ${EXPECTED_SHA} to ${ACTUAL_SHA}; skipping."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "skip=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Commit Dist - Download server-dist artifact
+        if: steps.verify.outputs.skip == 'false'
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: server-dist
+          path: artifact/
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      ## Defence in depth: confirm the artifact contains exactly the two
+      ## expected bundle files before copying into the repo.
+      - name: Commit Dist - Verify artifact contents
+        if: steps.verify.outputs.skip == 'false'
+        run: |
+          set -euo pipefail
+          for f in codeql-development-mcp-server.js codeql-development-mcp-server.js.map; do
+            if [ ! -f "artifact/${f}" ]; then
+              echo "::error::Missing expected artifact file: ${f}"
+              exit 1
+            fi
+          done
+          UNEXPECTED="$(find artifact -type f \
+            ! -name 'codeql-development-mcp-server.js' \
+            ! -name 'codeql-development-mcp-server.js.map' \
+            -print)"
+          if [ -n "${UNEXPECTED}" ]; then
+            echo "::error::Unexpected files in artifact:"
+            echo "${UNEXPECTED}"
+            exit 1
+          fi
+
+      - name: Commit Dist - Commit and push (if changed)
+        if: steps.verify.outputs.skip == 'false'
+        env:
+          BRANCH: ${{ steps.pr.outputs.branch }}
+        run: |
+          set -euo pipefail
+          cp artifact/codeql-development-mcp-server.js server/dist/
+          cp artifact/codeql-development-mcp-server.js.map server/dist/
+
+          git config user.name 'dependabot[bot]'
+          git config user.email '49699333+dependabot[bot]@users.noreply.github.com'
+          git add server/dist/codeql-development-mcp-server.js \
+                  server/dist/codeql-development-mcp-server.js.map
+
+          if git diff --cached --quiet; then
+            echo "::notice::server/dist already up to date."
+            exit 0
+          fi
+
+          git commit -m "chore(deps): rebuild server/dist after dependency update
+
+          [dependabot skip]"
+          git push origin "HEAD:${BRANCH}"

.github/workflows/lint-and-format.yml

@@ -5,7 +5,6 @@ on:
     branches: ['main', 'next']
   push:
     branches: ['main', 'next']
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -26,7 +25,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Lint and Format - Install node dependencies for all workspaces
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Lint and Format - Run eslint
         run: npm run lint

.github/workflows/query-unit-tests-swift.yml

@@ -21,7 +21,6 @@ on:
       - 'server/ql/swift/**'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -42,7 +41,7 @@ jobs:
           node-version-file: '.node-version'
 
       - name: Query Unit Tests - swift - Install node dependencies for all workspaces
-        run: npm ci --workspaces
+        run: npm ci --workspaces --ignore-scripts
 
       - name: Query Unit Tests - swift - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment

.github/workflows/query-unit-tests.yml

@@ -29,7 +29,6 @@ on:
       - 'server/ql/**'
       - 'server/scripts/install-packs.sh'
       - 'server/scripts/run-query-unit-tests.sh'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -58,7 +57,7 @@ jobs:
         run: sudo apt-get install -y jq
 
       - name: Query Unit Tests - ${{ matrix.language }} - Install node dependencies for all workspaces
-        run: npm ci --workspaces
+        run: npm ci --workspaces --ignore-scripts
 
       - name: Query Unit Tests - ${{ matrix.language }} - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment