diff --git a/.github/actions/release-initialise/action.yml b/.github/actions/release-initialise/action.yml
@@ -0,0 +1,33 @@
+name: 'Prepare release job'
+description: 'Prepare for updating a release branch'
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Dump environment
+      run: env
+      shell: bash
+
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: '${{ toJson(github) }}'
+      run: echo "$GITHUB_CONTEXT"
+      shell: bash
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.12
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install PyGithub==2.3.0 requests
+      shell: bash
+
+    - name: Update git config
+      run: |
+        git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git config --global user.name "github-actions[bot]"
+      shell: bash
diff --git a/.github/actions/setup-swift/action.yml b/.github/actions/setup-swift/action.yml
@@ -0,0 +1,39 @@
+name: "Set up Swift on Linux"
+description: Sets up an appropriate Swift version on Linux.
+inputs:
+  codeql-path:
+    description: Path to the CodeQL CLI executable.
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get Swift version
+      id: get_swift_version
+      if: runner.os == 'Linux'
+      shell: bash
+      env:
+        CODEQL_PATH: ${{ inputs.codeql-path }}
+      run: |
+        SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
+        if [ $SWIFT_EXTRACTOR_DIR = "null" ]; then
+          VERSION="null"
+        else
+          VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/linux64/extractor" --version | awk '/version/ { print $3 }')"
+          # Specify 5.x.0, otherwise setup Action will default to latest minor version.
+          if [ $VERSION = "5.7" ]; then
+            VERSION="5.7.0"
+          elif [ $VERSION = "5.8" ]; then
+            VERSION="5.8.0"
+          elif [ $VERSION = "5.9" ]; then
+            VERSION="5.9.0"
+          # setup-swift does not yet support v5.9.1 Remove this when it does.
+          elif [ $VERSION = "5.9.1" ]; then
+            VERSION="5.9.0"
+          fi
+        fi
+        echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
+
+    - uses: redsun82/setup-swift@362f49f31da2f5f4f851657046bdd1290d03edc8 # Please update the corresponding SHA in the CLI's CodeQL Action Integration Test.
+      if: runner.os == 'Linux' && steps.get_swift_version.outputs.version != 'null'
+      with:
+        swift-version: "${{ steps.get_swift_version.outputs.version }}"
diff --git a/.github/actions/update-bundle/action.yml b/.github/actions/update-bundle/action.yml
@@ -0,0 +1,14 @@
+name: Update default CodeQL bundle
+description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
+
+runs:
+  using: composite
+  steps:
+    - name: Install ts-node
+      shell: bash
+      run: npm install -g ts-node
+
+    - name: Run update script
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts
diff --git a/.github/actions/update-bundle/index.ts b/.github/actions/update-bundle/index.ts
@@ -0,0 +1,67 @@
+import * as fs from 'fs';
+import * as github from '@actions/github';
+
+interface BundleInfo {
+  bundleVersion: string;
+  cliVersion: string;
+}
+
+interface Defaults {
+  bundleVersion: string;
+  cliVersion: string;
+  priorBundleVersion: string;
+  priorCliVersion: string;
+}
+
+function getCodeQLCliVersionForRelease(release): string {
+  // We do not currently tag CodeQL bundles based on the CLI version they contain.
+  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
+  // This marker file is uploaded as a release asset for all new CodeQL bundles.
+  const cliVersionsFromMarkerFiles = release.assets
+    .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
+    .filter((v) => v)
+    .map((v) => v as string);
+  if (cliVersionsFromMarkerFiles.length > 1) {
+    throw new Error(
+      `Release ${release.tag_name} has multiple CLI version marker files.`
+    );
+  } else if (cliVersionsFromMarkerFiles.length === 0) {
+    throw new Error(
+      `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
+    );
+  }
+  return cliVersionsFromMarkerFiles[0];
+}
+
+async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
+  return {
+    bundleVersion: release.tag_name,
+    cliVersion: getCodeQLCliVersionForRelease(release)
+  };
+}
+
+async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
+  const release = github.context.payload.release;
+  console.log('Updating default bundle as a result of the following release: ' +
+    `${JSON.stringify(release)}.`)
+
+  const bundleInfo = await getBundleInfoFromRelease(release);
+  return {
+    bundleVersion: bundleInfo.bundleVersion,
+    cliVersion: bundleInfo.cliVersion,
+    priorBundleVersion: currentDefaults.bundleVersion,
+    priorCliVersion: currentDefaults.cliVersion
+  };
+}
+
+async function main() {
+  const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
+  const newDefaults = await getNewDefaults(previousDefaults);
+  // Update the source file in the repository. Calling workflows should subsequently rebuild
+  // the Action to update `lib/defaults.json`.
+  fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
+}
+
+// Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
+// So instead we rely on the fact that Node won't exit until the event loop is empty.
+main();
diff --git a/.github/check-codescanning-config/action.yml b/.github/check-codescanning-config/action.yml
diff --git a/.github/check-sarif/action.yml b/.github/check-sarif/action.yml
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -7,6 +7,7 @@ queries:
   # we include both even though one is a superset of the
   # other, because we're testing the parsing logic and
   # that the suites exist in the codeql bundle.
+  - uses: security-experimental
   - uses: security-extended
   - uses: security-and-quality
 paths-ignore:

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,16 +2,45 @@ version: 2
 updates:
   - package-ecosystem: npm
     directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
     labels:
       - Update dependencies
+    # Ignore incompatible dependency updates
     ignore:
-      - dependency-name: "*"
-        update-types:
-          - version-update:semver-minor
-          - version-update:semver-patch
+      # There is a type incompatibility issue between v0.0.9 and our other dependencies.
+      - dependency-name: "@octokit/plugin-retry"
+        versions: ["~6.0.0"]
+      # v7 requires ESM
+      - dependency-name: "del"
+        versions: ["^7.0.0"]
+      # This is broken due to the way configuration files have changed. 
+      # This might be fixed when we move to eslint v9.
+      - dependency-name: "eslint-plugin-import"
+        versions: [">=2.30.0"]
+    groups:
+      npm:
+        patterns:
+          - "*"
   - package-ecosystem: github-actions
     directory: "/"
+    reviewers:
+      - "github/codeql-production-shield"
     schedule:
       interval: weekly
+    groups:
+      actions:
+        patterns:
+          - "*"
+  - package-ecosystem: github-actions
+    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    reviewers:
+      - "github/codeql-production-shield"
+    schedule:
+      interval: weekly
+    groups:
+      actions-setup-swift:
+        patterns:
+          - "*"
diff --git a/.github/prepare-test/action.yml b/.github/prepare-test/action.yml
diff --git a/.github/query-filter-test/action.yml b/.github/query-filter-test/action.yml
diff --git a/.github/releases.ini b/.github/releases.ini
@@ -0,0 +1 @@
+OLDEST_SUPPORTED_MAJOR_VERSION=2
diff --git a/.github/setup-swift/action.yml b/.github/setup-swift/action.yml
diff --git a/.github/update-release-branch.py b/.github/update-release-branch.py
diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml
diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml
diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml
diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml
diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml
diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml
diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml
diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml
diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml
diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml
diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml
diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml
diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml
diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml
diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml
diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml
diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml
diff --git a/.github/workflows/__extract-direct-to-toolcache.yml b/.github/workflows/__extract-direct-to-toolcache.yml
diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml
diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml
diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml
diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml
diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml
diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml