diff --git a/.github/workflows/label-issue.yml b/.github/workflows/label-issue.yml
index 9c2567cd..74942344 100644
--- a/.github/workflows/label-issue.yml
+++ b/.github/workflows/label-issue.yml
@@ -6,11 +6,14 @@ on:
 jobs:
   label:
     name: Label issue
-    runs-on: ubuntu-latest
-    if: github.event.action == 'opened'
+    runs-on: ubuntu-slim
+    permissions:
+      issues: write
     steps:
       - name: Label issue
+        run: gh issue edit "$NUMBER" --add-label "$LABELS"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo '{"labels": ["CLI"]}' | gh api repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels --input -
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+          LABELS: CLI
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9f8780ae..0e93e384 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,226 @@
      you know what to do).
 -->
 
+## Release 2.25.2 (2026-04-15)
+
+### Miscellaneous
+
+- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
+  CLI has been updated to version 21.0.10.
+
+## Release 2.25.1 (2026-03-27)
+
+### Bug Fixes
+
+- Fixed a bug where extraction could fail on YAML files containing emoji.
+
+### Miscellaneous
+
+- Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.3 to 2.6.
+
+## Release 2.25.0 (2026-03-19)
+
+### Breaking Changes
+
+- `codeql database interpret-results` and `codeql database analyze` no longer attempt to reconstruct file baseline information from databases created with CLI versions before 2.11.2.
+
+### Bug Fixes
+
+- Upgraded Jackson library from 2.16.1 to 2.18.6 to address a high-severity denial of service vulnerability (GHSA-72hv-8253-57qq) in jackson-core's async JSON parser.
+- Upgraded snakeyaml (which is a dependency of jackson-dataformat-yaml) from 2.2 to 2.3.
+
+## Release 2.24.4 (2026-03-16)
+
+This release was skipped.
+
+## Release 2.24.3 (2026-03-05)
+
+### Bug Fixes
+
+- Fixed a race condition that could cause flaky failures in overlay CodeQL tests. Test extraction now skips `*.testproj` directories by name, preventing interference from concurrently cleaned-up test databases.
+- Fixed spurious "OOPS" warnings that could appear in help output for commands using mutually exclusive option groups, such as `codeql query run`.
+
+## Release 2.24.2 (2026-02-20)
+
+### Bug Fixes
+
+- Fixed SARIF output to generate RFC 1738 compatible file URIs. File URIs now always use the `file:///` format instead of `file:/` for better interoperability with SARIF consumers.
+
+## Release 2.24.1 (2026-02-05)
+
+### Miscellaneous
+
+- The vulnerable xwork-core 2.3.37 test dependency (CVE-2025-68493) has been removed. The CodeQL Java library has been updated to support both legacy Struts 2.x-6.x package names and Struts 7.x package names for analyzing user code.
+
+## Release 2.24.0 (2026-01-26)
+
+### Miscellaneous
+
+- The OWASP Java HTML Sanitizer library used by the CodeQL CLI for internal
+  documentation generation commands has been updated to version
+  [20260102.1](https://github.com/OWASP/java-html-sanitizer/releases/tag/release-20260102.1).
+- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
+  CLI has been updated to version 21.0.9.
+
+## Release 2.23.9 (2026-01-09)
+
+### Deprecations
+
+- Support for Kotlin version 1.6 and 1.7 has been deprecated and will be removed from CodeQL version 2.24.1. Starting with version 2.24.1, users will need to use Kotlin version >= 1.8 to extract Kotlin databases.
+
+## Release 2.23.8 (2025-12-10)
+
+This release contains no CLI changes.
+
+## Release 2.23.7 (2025-12-05)
+
+### Deprecations
+
+- The `--save-cache` flag to `codeql database run-queries` and other commands that execute queries has been deprecated. This flag previously instructed the evaluator to aggressively write intermediate results to the disk cache, but now has no effect.
+
+## Release 2.23.6 (2025-11-24)
+
+### Breaking changes
+
+- The LGTM results format for uploading to LGTM has been removed.
+
+## Release 2.23.5 (2025-11-13)
+
+### Breaking changes
+
+- In order to make a `@kind path-problem` query diff-informed, the `getASelectedSourceLocation` and `getASelectedSinkLocation` predicates in the dataflow configuration now need to be overridden to always return the location of the source/sink _in addition to_ any other locations that are selected by the query. See the [QLdoc](https://github.com/github/codeql/blob/d122534398c5eb9182a23a9ad65caa5937d627b5/shared/dataflow/codeql/dataflow/DataFlow.qll#L474) for more details.
+
+## Release 2.23.4
+
+This release was skipped.
+
+## Release 2.23.3 (2025-10-17)
+
+### Breaking changes
+
+- The `--permissive` command line option has been removed from the C/C++ extractor,
+  and passing the option will make the extractor fail. The option was introduced to
+  make the extractor accept the following invalid code, which is accepted by gcc with
+  the `-fpermissive` flag:
+
+  ```cpp
+  void f(char*);
+  void g() {
+    const char* str = "string";
+    f(str);
+  }
+  ```
+
+  The `--permissive` option was removed, as under some circumstances it would break the extractor's ability to parse valid C++ code. When calling the extractor directly,
+  `--permissive` should no longer be passed. The above code will fail to parse, and we
+  recommend the code being made `const`-correct.
+
+### Bugs fixed
+
+- Fixed a bug that made many `codeql` subcommands fail with the
+  message `not in while, until, select, or repeat loop` on Linux or
+  macOS systems where `/bin/sh` is `zsh`.
+
+## Release 2.23.2 (2025-10-02)
+
+### New features
+
+- CodeQL Go analysis now supports the "Git Source" type for [private package registries](https://docs.github.com/en/code-security/securing-your-organization/enabling-security-features-in-your-organization/giving-org-access-private-registries). This is in addition to the existing support for the "GOPROXY server" type.
+
+### Bugs Fixed
+
+- The `codeql generate query-help` command now prepends the query's name (taken from the `.ql` file) as a level-one heading when processing markdown query help, for consistency with help generated from a `.qhelp` file.
+
+## Release 2.23.1 (2025-09-23)
+
+### New features
+
+- CodeQL now adds the sources and sinks of path alerts to the `relatedLocations`
+  property of SARIF results if they are not included as the primary location or
+  within the alert message. This means that path alerts will show on PRs if a
+  source or sink is added or modified, even for queries that don't follow the
+  common convention of selecting the sink as the primary location and mentioning
+  the source in the alert message.
+
+- CodeQL now populates file coverage information for GitHub Actions on
+  [the tool status page for code scanning](https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#viewing-the-tool-status-page-for-a-repository).
+
+## Release 2.23.0 (2025-09-04)
+
+### Miscellaneous
+
+- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
+  CLI has been updated to version 21.0.8.
+
+## Release 2.22.4 (2025-08-21)
+
+- There are no user-facing changes in this release.
+
+## Release 2.22.3 (2025-08-06)
+
+### New features
+
+- The `codeql database cleanup` command now takes the `--cache-cleanup=overlay`
+  option, which trims the cache to just the data that will be useful when
+  evaluating against an overlay.
+
+## Release 2.22.2 (2025-07-29)
+
+### Bug fix
+
+- Fixes a bug in query suites where the `version` property of an `import` instruction was ignored. Previously, the following query suite would _not_ resolve to `v1.0.19` of `codeql/csharp-queries`. Instead it would resolve to the latest version. This is now fixed and the resolve pack version would be `v1.0.19`.
+  ```
+   - from: codeql/csharp-queries
+     import: codeql-suites/csharp-security-and-quality.qls
+     version: 1.0.19
+  ```
+
+## Release 2.22.1 (2025-06-26)
+
+### New features
+
+- Rust language support is now in public preview.
+
+### Miscellaneous
+
+- The version of `jgit` used by the CodeQL CLI has been updated to `6.10.1.202505221210-r`.
+
+## Release 2.22.0 (2025-06-11)
+
+### Breaking changes
+
+- A number of breaking changes have been made to the C and C++ CodeQL test
+  environment as used by `codeql test run`:
+  - Options starting with a `/` are no longer supported by
+    `semmle-extractor-options`. Any option starting with a `/` should be
+    replaced by the equivalent option starting with a `-`, e.g., `/D` should be
+    replaced by `-D`.
+  - Preprocessor command line options of the form `-D<macro>#<def>` are no
+    longer supported by `semmle-extractor-options`. `-D<macro>=<def>` should be
+    used instead.
+  - The `/Fp` and `-o` options are no longer supported by
+    `semmle-extractor-options`. The options should be omitted.
+  - The `-emit-pch`, `-include-pch`, `/Yc`, and `/Yu` options, and the
+    `--preinclude` option taking a pre-compiled header as its argument, are no
+    longer supported by `semmle-extractor-options`. Any test that makes use of
+    this should be replaced by a test that invokes the CodeQL CLI with the
+    `create database` option and that runs the relevant queries on the created
+    database.
+
+## Release 2.21.4 (2025-06-02)
+
+### Deprecations
+
+- The `clang_vector_types`, `clang_attributes`, and `flax-vector-conversions` command
+  line options have been removed from the C/C++ extractor. These options were introduced
+  as workarounds to frontend limitations in earlier versions of the extractor and are
+  no longer needed when calling the extractor directly.
+
+### Miscellaneous
+
+- The build of Eclipse Temurin OpenJDK that is used to run the CodeQL
+  CLI has been updated to version 21.0.7.
+
 ## Release 2.21.3 (2025-05-15)
 
 ### Miscellaneous
@@ -56,7 +276,7 @@
 
 - On macOS the `CODEQL_TRACER_RELOCATION_EXCLUDE` environment variable can now be used to exclude certain paths from the
   tracer relocation and tracing process. This environment variable accepts newline-separated regex patterns of binaries
-  to be excluded.  
+  to be excluded.
 
 ## Release 2.20.7 (2025-03-18)
 
diff --git a/LICENSE.md b/LICENSE.md
index 3ef032db..e8727085 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -33,7 +33,7 @@ below:
   * Use the Software to demonstrate the Software.
 
   * Test CodeQL queries that are released under an OSI-approved
-    Licence to confirm that new versions of those queries continue to
+    License to confirm that new versions of those queries continue to
     find the right vulnerabilities.
 
 Here's what you may also do with the Software, but only with an Open
@@ -169,7 +169,7 @@ provision of these Terms will not constitute a waiver of such right or
 provision.
 
 _Entire Agreement._ These Terms, together with any open source
-software licenses referenced above, constitutes the entire agreement
+software licenses referenced above, constitute the entire agreement
 between you and GitHub regarding your use of the Software, superseding
 any prior agreements between you and GitHub (including, but not
 limited to, any prior versions of these Terms) regarding such use.