diff --git a/.github/check-codescanning-config/action.yml b/.github/actions/check-codescanning-config/action.yml
similarity index 100%
rename from .github/check-codescanning-config/action.yml
rename to .github/actions/check-codescanning-config/action.yml
diff --git a/.github/check-codescanning-config/index.ts b/.github/actions/check-codescanning-config/index.ts
similarity index 100%
rename from .github/check-codescanning-config/index.ts
rename to .github/actions/check-codescanning-config/index.ts
diff --git a/.github/check-sarif/action.yml b/.github/actions/check-sarif/action.yml
similarity index 100%
rename from .github/check-sarif/action.yml
rename to .github/actions/check-sarif/action.yml
diff --git a/.github/check-sarif/index.js b/.github/actions/check-sarif/index.js
similarity index 100%
rename from .github/check-sarif/index.js
rename to .github/actions/check-sarif/index.js
diff --git a/.github/prepare-test/action.yml b/.github/actions/prepare-test/action.yml
similarity index 100%
rename from .github/prepare-test/action.yml
rename to .github/actions/prepare-test/action.yml
diff --git a/.github/query-filter-test/action.yml b/.github/actions/query-filter-test/action.yml
similarity index 96%
rename from .github/query-filter-test/action.yml
rename to .github/actions/query-filter-test/action.yml
index 1cb9e2c8cd..6a2036382f 100644
--- a/.github/query-filter-test/action.yml
+++ b/.github/actions/query-filter-test/action.yml
@@ -44,7 +44,7 @@ runs:
       env:
         CODEQL_ACTION_TEST_MODE: "true"
     - name: Check SARIF
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file:  ${{ inputs.sarif-file }}
         queries-run: ${{ inputs.queries-run}}
diff --git a/.github/setup-swift/action.yml b/.github/actions/setup-swift/action.yml
similarity index 100%
rename from .github/setup-swift/action.yml
rename to .github/actions/setup-swift/action.yml
diff --git a/.github/actions/update-bundle/action.yml b/.github/actions/update-bundle/action.yml
new file mode 100644
index 0000000000..0216d2465b
--- /dev/null
+++ b/.github/actions/update-bundle/action.yml
@@ -0,0 +1,14 @@
+name: Update default CodeQL bundle
+description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
+
+runs:
+  using: composite
+  steps:
+    - name: Install ts-node
+      shell: bash
+      run: npm install -g ts-node
+
+    - name: Run update script
+      working-directory: ${{ github.action_path }}
+      shell: bash
+      run: ts-node ./index.ts
diff --git a/.github/actions/update-bundle/index.ts b/.github/actions/update-bundle/index.ts
new file mode 100644
index 0000000000..a8bd13e27a
--- /dev/null
+++ b/.github/actions/update-bundle/index.ts
@@ -0,0 +1,69 @@
+import * as fs from 'fs';
+import * as github from '@actions/github';
+
+interface BundleInfo {
+  bundleVersion: string;
+  cliVersion: string;
+}
+
+interface Defaults {
+  bundleVersion: string;
+  cliVersion: string;
+  priorBundleVersion: string;
+  priorCliVersion: string;
+}
+
+const CODEQL_BUNDLE_PREFIX = 'codeql-bundle-';
+
+function getCodeQLCliVersionForRelease(release): string {
+  // We do not currently tag CodeQL bundles based on the CLI version they contain.
+  // Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
+  // This marker file is uploaded as a release asset for all new CodeQL bundles.
+  const cliVersionsFromMarkerFiles = release.assets
+  .map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
+  .filter((v) => v)
+  .map((v) => v as string);
+  if (cliVersionsFromMarkerFiles.length > 1) {
+    throw new Error(
+      `Release ${release.tag_name} has multiple CLI version marker files.`
+      );
+    } else if (cliVersionsFromMarkerFiles.length === 0) {
+      throw new Error(
+        `Failed to find the CodeQL CLI version for release ${release.tag_name}.`
+        );
+      }
+      return cliVersionsFromMarkerFiles[0];
+    }
+
+    async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
+      return {
+        bundleVersion: release.tag_name.substring(CODEQL_BUNDLE_PREFIX.length),
+        cliVersion: getCodeQLCliVersionForRelease(release)
+      };
+    }
+
+    async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
+      const release = github.context.payload.release;
+      console.log('Updating default bundle as a result of the following release: ' +
+      `${JSON.stringify(release)}.`)
+
+      const bundleInfo = await getBundleInfoFromRelease(release);
+      return {
+        bundleVersion: bundleInfo.bundleVersion,
+        cliVersion: bundleInfo.cliVersion,
+        priorBundleVersion: currentDefaults.bundleVersion,
+        priorCliVersion: currentDefaults.cliVersion
+      };
+    }
+
+    async function main() {
+      const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
+      const newDefaults = await getNewDefaults(previousDefaults);
+      // Update the source file in the repository. Calling workflows should subsequently rebuild
+      // the Action to update `lib/defaults.json`.
+      fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
+    }
+
+    // Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
+    // So instead we rely on the fact that Node won't exit until the event loop is empty.
+    main();
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1ae2c35984..020dca75c8 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,6 +16,6 @@ updates:
     schedule:
       interval: weekly
   - package-ecosystem: github-actions
-    directory: "/.github/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
+    directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
     schedule:
       interval: weekly
diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml
index cff1b5307f..a5ab171d23 100644
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml
index f99a4dc59f..a8293b4999 100644
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml
index c62cff45c6..c80b2ee7de 100644
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml
index eac8e6494b..5d81f5c07d 100644
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml
index e3bde8456e..f1d2cb3528 100644
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -49,7 +49,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
       env:
         CODEQL_FILE_BASELINE_INFORMATION: true
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Build code
diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml
index b700b7644c..2582a517d9 100644
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml
index 3093f38aa2..9a7b937795 100644
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml
index 3110cad8ee..c43aae324c 100644
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml
index b9f4933ddb..6ad73ad4a9 100644
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml
index 05f98e4a18..2ce8d92979 100644
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml
index 5a70e1166e..b8d87e7bf1 100644
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Init with registries
diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml
index 01002fd247..44ced0a432 100644
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Move codeql-action
diff --git a/.github/workflows/__ml-powered-queries.yml b/.github/workflows/__ml-powered-queries.yml
index 1009afc306..db52beb454 100644
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
@@ -85,7 +85,7 @@ jobs:
         retention-days: 7
 
     - name: Check sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
     # Running on Windows requires CodeQL CLI 2.9.0+.
       if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
       with:
diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml
index 560dafcf27..6a150b10a8 100644
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@@ -57,7 +57,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
@@ -71,7 +71,7 @@ jobs:
         db-location: ${{ runner.temp }}/customDbLocation
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
 
diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
index 7a86504374..6cb8c49831 100644
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -69,7 +69,7 @@ jobs:
         upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml
index 5fde2b92ca..e8426cffc4 100644
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -69,7 +69,7 @@ jobs:
         upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml
index 04b330fea1..759f12cf95 100644
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -68,7 +68,7 @@ jobs:
         upload-database: false
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml
index 13887ba5d7..6d5763b685 100644
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@@ -51,7 +51,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -68,7 +68,7 @@ jobs:
         output: ${{ runner.temp }}/results
 
     - name: Check results
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml
index 69e49c4395..8b1440eedb 100644
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml
index a706b73751..96156ab74f 100644
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Ruby
diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml
index cb1b505d5d..a9e68ea511 100644
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml
index 7d3a2650e1..3492061d66 100644
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml
index 3d16460aa0..b3fb9ad123 100644
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@@ -39,7 +39,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: actions/checkout@v3
diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml
index d10246db14..c04bc75c78 100644
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
@@ -53,7 +53,7 @@ jobs:
       with:
         languages: swift
         tools: ${{ steps.prepare-test.outputs.tools-url }}
-    - uses: ./../action/.github/setup-swift
+    - uses: ./../action/.github/actions/setup-swift
       with:
         codeql-path: ${{steps.init.outputs.codeql-path}}
     - name: Check working directory
diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml
index b0baa3b3f5..c151b4fabd 100644
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Test setup
diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml
index f5c5ff669f..cb78865496 100644
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Fetch a CodeQL bundle
diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml
index 9895f01843..a5e24847df 100644
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@@ -35,7 +35,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - uses: ./../action/init
diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml
index 44c8e48562..7d863eebcf 100644
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@@ -45,7 +45,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml
index d235743d7f..d7a6599e25 100644
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml
index 7ffc2ec457..e7067ae1d7 100644
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@@ -69,7 +69,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
     - name: Set up Go
diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml
index 272dc3a672..fe1d3f8989 100644
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -47,12 +47,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: ${{ matrix.version }}
 
     - name: Empty file
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: "{}"
         languages: javascript
@@ -60,7 +60,7 @@ jobs:
 
     - name: Packs from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -72,7 +72,7 @@ jobs:
 
     - name: Packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -84,7 +84,7 @@ jobs:
 
     - name: Queries from input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -96,7 +96,7 @@ jobs:
 
     - name: Queries from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -108,7 +108,7 @@ jobs:
 
     - name: Queries and packs from input with +
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -122,7 +122,7 @@ jobs:
 
     - name: Queries and packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -137,7 +137,7 @@ jobs:
 
     - name: Queries and packs from config overriden by input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -152,7 +152,7 @@ jobs:
 
     - name: Queries and packs from config merging with input
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -172,7 +172,7 @@ jobs:
 
     - name: Multi-language packs from config
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -190,7 +190,7 @@ jobs:
 
     - name: Other config properties
       if: success() || failure()
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: |
           {
@@ -209,7 +209,7 @@ jobs:
       if: success() || failure()
       env:
         CODEQL_PASS_CONFIG_TO_CLI: false
-      uses: ./../action/.github/check-codescanning-config
+      uses: ./../action/.github/actions/check-codescanning-config
       with:
         expected-config-file-contents: ""
         languages: javascript
diff --git a/.github/workflows/debug-artifacts-failure.yml b/.github/workflows/debug-artifacts-failure.yml
index 0bbf47048e..9740121655 100644
--- a/.github/workflows/debug-artifacts-failure.yml
+++ b/.github/workflows/debug-artifacts-failure.yml
@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: latest
       - uses: actions/setup-go@v4
diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml
index 781ee9cbec..993700ec01 100644
--- a/.github/workflows/debug-artifacts.yml
+++ b/.github/workflows/debug-artifacts.yml
@@ -56,7 +56,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Prepare test
         id: prepare-test
-        uses: ./.github/prepare-test
+        uses: ./.github/actions/prepare-test
         with:
           version: ${{ matrix.version }}
       - uses: actions/setup-go@v4
diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml
index c9b79b7e94..b3b33e1df1 100644
--- a/.github/workflows/expected-queries-runs.yml
+++ b/.github/workflows/expected-queries-runs.yml
@@ -25,7 +25,7 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: latest
     - uses: ./../action/init
@@ -39,7 +39,7 @@ jobs:
         upload: never
 
     - name: Check Sarif
-      uses: ./../action/.github/check-sarif
+      uses: ./../action/.github/actions/check-sarif
       with:
         sarif-file: ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/incomplete-hostname-regexp,js/path-injection
diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml
index c384a231dd..e2f5642ea5 100644
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -23,12 +23,12 @@ jobs:
       uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
-      uses: ./.github/prepare-test
+      uses: ./.github/actions/prepare-test
       with:
         version: latest
 
     - name: Check SARIF for default queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip
@@ -37,7 +37,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block
@@ -46,7 +46,7 @@ jobs:
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
     - name: Check SARIF for query packs and local queries with Single include, Single exclude
-      uses: ./../action/.github/query-filter-test
+      uses: ./../action/.github/actions/query-filter-test
       with:
         sarif-file:  ${{ runner.temp }}/results/javascript.sarif
         queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml
new file mode 100644
index 0000000000..a94d11e934
--- /dev/null
+++ b/.github/workflows/update-bundle.yml
@@ -0,0 +1,82 @@
+name: Update default CodeQL bundle
+
+on:
+  release:
+    types: [prereleased]
+
+jobs:
+  update-bundle:
+    if: startsWith(github.event.release.tag_name, 'codeql-bundle-')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump environment
+        run: env
+
+      - name: Dump GitHub context
+        env:
+          GITHUB_CONTEXT: '${{ toJson(github) }}'
+        run: echo "$GITHUB_CONTEXT"
+
+      - uses: actions/checkout@v3
+
+      - name: Update git config
+        run: |
+          git config --global user.email "github-actions@github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update bundle
+        uses: ./.github/actions/update-bundle
+
+      - name: Rebuild Action
+        run: npm run build
+
+      - name: Commit and push changes
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}"
+        run: |
+          git checkout -b "update-bundle/$RELEASE_TAG"
+          git commit -am "Update default bundle to $RELEASE_TAG"
+          git push --set-upstream origin "update-bundle/$RELEASE_TAG"
+
+      - name: Open pull request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cli_version=$(jq -r '.cliVersion' src/defaults.json)
+          pr_url=$(gh pr create \
+            --title "Update default bundle to $cli_version" \
+            --body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
+            --assignee "$GITHUB_ACTOR" \
+            --draft \
+          )
+          echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
+          echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
+
+      - name: Create changelog note
+        shell: python
+        run: |
+          import os
+          import re
+
+          # Get the PR number from the PR URL.
+          pr_number = os.environ['PR_URL'].split('/')[-1]
+          changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
+
+          # If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
+          # Use perl to avoid having to escape the newline character.
+
+          with open('CHANGELOG.md', 'r') as f:
+              changelog = f.read()
+
+          changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
+
+          # Add the changelog note to the bottom of the "[UNRELEASED]" section.
+          changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
+
+          with open('CHANGELOG.md', 'w') as f:
+              f.write(changelog)
+
+      - name: Push changelog note
+        run: |
+          git commit -am "Add changelog note"
+          git push
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e858e7936..ba34513686 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Update default CodeQL bundle version to 2.12.6. [#1629](https://github.com/github/codeql-action/pull/1629)
 
 ## 2.2.9 - 27 Mar 2023
 
diff --git a/lib/defaults.json b/lib/defaults.json
index fe191836e0..10cc950fcc 100644
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-20230317",
-    "cliVersion": "2.12.5",
-    "priorBundleVersion": "codeql-bundle-20230304",
-    "priorCliVersion": "2.12.4"
+    "bundleVersion": "codeql-bundle-20230403",
+    "cliVersion": "2.12.6",
+    "priorBundleVersion": "codeql-bundle-20230317",
+    "priorCliVersion": "2.12.5"
 }
diff --git a/pr-checks/checks/export-file-baseline-information.yml b/pr-checks/checks/export-file-baseline-information.yml
index e3008a1567..058c0eaf6d 100644
--- a/pr-checks/checks/export-file-baseline-information.yml
+++ b/pr-checks/checks/export-file-baseline-information.yml
@@ -11,7 +11,7 @@ steps:
       tools: ${{ steps.prepare-test.outputs.tools-url }}
     env:
       CODEQL_FILE_BASELINE_INFORMATION: true
-  - uses: ./../action/.github/setup-swift
+  - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{steps.init.outputs.codeql-path}}
   - name: Build code
diff --git a/pr-checks/checks/ml-powered-queries.yml b/pr-checks/checks/ml-powered-queries.yml
index d0628b32cc..3aadbe0250 100644
--- a/pr-checks/checks/ml-powered-queries.yml
+++ b/pr-checks/checks/ml-powered-queries.yml
@@ -28,7 +28,7 @@ steps:
       retention-days: 7
 
   - name: Check sarif
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     # Running on Windows requires CodeQL CLI 2.9.0+.
     if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
     with:
diff --git a/pr-checks/checks/multi-language-autodetect.yml b/pr-checks/checks/multi-language-autodetect.yml
index 73d520799a..70175f0c24 100644
--- a/pr-checks/checks/multi-language-autodetect.yml
+++ b/pr-checks/checks/multi-language-autodetect.yml
@@ -10,7 +10,7 @@ steps:
       db-location: "${{ runner.temp }}/customDbLocation"
       tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-  - uses: ./../action/.github/setup-swift
+  - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{steps.init.outputs.codeql-path}}
 
diff --git a/pr-checks/checks/packaging-codescanning-config-inputs-js.yml b/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
index 6444593122..ccef0a226f 100644
--- a/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
+++ b/pr-checks/checks/packaging-codescanning-config-inputs-js.yml
@@ -21,7 +21,7 @@ steps:
       upload-database: false
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/pr-checks/checks/packaging-config-inputs-js.yml b/pr-checks/checks/packaging-config-inputs-js.yml
index d942dceaf4..3af646619d 100644
--- a/pr-checks/checks/packaging-config-inputs-js.yml
+++ b/pr-checks/checks/packaging-config-inputs-js.yml
@@ -17,7 +17,7 @@ steps:
       upload-database: false
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/pr-checks/checks/packaging-config-js.yml b/pr-checks/checks/packaging-config-js.yml
index 1d39ba8ca4..42d955d471 100644
--- a/pr-checks/checks/packaging-config-js.yml
+++ b/pr-checks/checks/packaging-config-js.yml
@@ -16,7 +16,7 @@ steps:
       upload-database: false
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/pr-checks/checks/packaging-inputs-js.yml b/pr-checks/checks/packaging-inputs-js.yml
index 6a254bd967..0d213f1300 100644
--- a/pr-checks/checks/packaging-inputs-js.yml
+++ b/pr-checks/checks/packaging-inputs-js.yml
@@ -16,7 +16,7 @@ steps:
       output: "${{ runner.temp }}/results"
 
   - name: Check results
-    uses: ./../action/.github/check-sarif
+    uses: ./../action/.github/actions/check-sarif
     with:
       sarif-file: ${{ runner.temp }}/results/javascript.sarif
       queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
diff --git a/pr-checks/checks/swift-custom-build.yml b/pr-checks/checks/swift-custom-build.yml
index 1fc1dd5f34..8d626d9320 100644
--- a/pr-checks/checks/swift-custom-build.yml
+++ b/pr-checks/checks/swift-custom-build.yml
@@ -11,7 +11,7 @@ steps:
     with:
       languages: swift
       tools: ${{ steps.prepare-test.outputs.tools-url }}
-  - uses: ./../action/.github/setup-swift
+  - uses: ./../action/.github/actions/setup-swift
     with:
       codeql-path: ${{steps.init.outputs.codeql-path}}
   - name: Check working directory
diff --git a/pr-checks/sync.py b/pr-checks/sync.py
index a5f05c1dc6..ef2e06cfb1 100644
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@@ -79,7 +79,7 @@ def writeHeader(checkStream):
         {
             'name': 'Prepare test',
             'id': 'prepare-test',
-            'uses': './.github/prepare-test',
+            'uses': './.github/actions/prepare-test',
             'with': {
                 'version': '${{ matrix.version }}'
             }
diff --git a/src/defaults.json b/src/defaults.json
index c4597cc383..659c095640 100644
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-20230317",
-  "cliVersion": "2.12.5",
-  "priorBundleVersion": "codeql-bundle-20230304",
-  "priorCliVersion": "2.12.4"
+  "bundleVersion": "codeql-bundle-20230403",
+  "cliVersion": "2.12.6",
+  "priorBundleVersion": "codeql-bundle-20230317",
+  "priorCliVersion": "2.12.5"
 }

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/github/codeql-action/pull/1629.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql-action/pull/1629.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql-action/pull/1629.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql-action/pull/1629.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>