There's a lot of changes here, but it's pretty formulaic. It follows the
approach used by the `queries` input and config property.
`threat-models` can appear as an input or in the config file. If it
appears in the input, then we need to either merge it with the
threat-models in the config (if prefixed with `+`) or overwrite it.
There's no danger if someone uses `threat-models` with an older CLI
since the CLI can handle configs with extra properties.
Update the ql queries to account for change in how we look for runner
Previously, we guarded blocks of code to be run by the runner or the
action using if statements like this:
```js
if (mode === "actions") ...
```
We are no longer doing this. And now, the `unguarded-action-lib.ql`
query is out of date. This query checks that runner code does not
unintentionally access actions-only methods in the libraries.
With these changes, we now ensure that code scanning is happy.
Andrew Eisenberg
Henry Mercer
Chuan-kai Lin
Robert
Chris Gavin
0xflotus
Robert Brignull
anaarmas