diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml
diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml
diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml
diff --git a/.github/workflows/__local-bundle.yml b/.github/workflows/__local-bundle.yml
diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml
diff --git a/.github/workflows/__overlay-init-fallback.yml b/.github/workflows/__overlay-init-fallback.yml
diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml
diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml
diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml
diff --git a/.github/workflows/__quality-queries.yml b/.github/workflows/__quality-queries.yml
diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml
diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml
diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml
diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml
diff --git a/.github/workflows/__rust.yml b/.github/workflows/__rust.yml
diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml
diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml
diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml
diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml
diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml
diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml
diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml
diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml
diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml
diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml
diff --git a/.github/workflows/__upload-sarif.yml b/.github/workflows/__upload-sarif.yml
diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml
diff --git a/.github/workflows/__zstd-bundle-streaming.yml b/.github/workflows/__zstd-bundle-streaming.yml
diff --git a/.github/workflows/__zstd-bundle.yml b/.github/workflows/__zstd-bundle.yml
diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml
@@ -9,13 +9,20 @@ on:
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   check-expected-release-files:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
+
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check Expected Release Files
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -13,21 +13,26 @@ on:
     - cron: '30 1 * * 0'
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
 env:
   CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
 
 jobs:
   # Identify the CodeQL tool versions to use in the analysis job.
   check-codeql-versions:
+    if: github.triggering_actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     outputs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      security-events: write
+      contents: read
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Init with default CodeQL bundle from the VM image
       id: init-default
       uses: ./init
@@ -70,32 +75,72 @@ jobs:
         echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
         echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT
 
-  build:
+  analyze-javascript:
+    if: github.triggering_actor != 'dependabot[bot]'
     needs: [check-codeql-versions]
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-20.04,ubuntu-22.04,windows-2019,windows-2022,macos-13,macos-14]
+        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     permissions:
+      contents: read
       security-events: write
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Initialize CodeQL
       uses: ./init
       id: init
       with:
         languages: javascript
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ./.github/codeql/codeql-config-javascript.yml
         tools: ${{ matrix.tools }}
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
-      run: ${{steps.init.outputs.codeql-path}} version --format=json
+      run: >
+        "$CODEQL" version --format=json
+      env:
+        CODEQL: ${{steps.init.outputs.codeql-path}}
     - name: Perform CodeQL Analysis
       uses: ./analyze
       with:
         category: "/language:javascript"
+        upload: ${{ (matrix.os == 'ubuntu-24.04' && !matrix.tools && 'always') || 'never' }}
+
+  analyze-other:
+    if: github.triggering_actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+          - language: python
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v5
+    - name: Initialize CodeQL
+      uses: ./init
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: none
+        config: >
+          paths-ignore:
+            - lib
+            - tests
+          queries:
+            - uses: security-and-quality
+    - name: Perform CodeQL Analysis
+      uses: ./analyze
+      with:
+        category: "/language:${{ matrix.language }}"