-
Notifications
You must be signed in to change notification settings - Fork 2k
Make actions/unpinned-tag lockfile- and $/-aware #22155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
nodeselector
wants to merge
13
commits into
github:main
Choose a base branch
from
nodeselector:nodeselector-actions-lockfile-aware-pinning
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from 2 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
dc76ee9
actions: stop unpinned-tag flagging $/ self-references
nodeselector 5088f9f
actions: scaffold lockfile-aware pinning for unpinned-tag
nodeselector 88c36ab
actions: regenerate unpinned-tag test expected output
nodeselector 75734f7
actions: add lockfile-to-data-extension generator for unpinned-tag
nodeselector f0cfed0
actions: generate lockfile-pinned data extension during extraction
nodeselector 5085314
actions: drop machine-specific replace, document lockfile generator l…
nodeselector 75dc432
actions: keep lockfile generator go.mod free of local replace
nodeselector b1165b5
actions: rename self-reference to self repository in unpinned-tag
nodeselector 7879f40
actions: make lockfile-extension generation atomic
nodeselector f64f112
actions: drop private actions-lockfile dependency from generator
nodeselector fbe00de
actions: emit empty data list for zero-row lockfile extension
nodeselector 5ae6d72
actions/unpinned-tag: match lockfile pins case-insensitively on owner…
nodeselector 9a0eef7
actions: use US spelling in lockfile-aware pinning comments
nodeselector File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Added a new extensible predicate `pinnedByLockfileDataModel(workflow_path, nwo, ref)`, which records `uses:` references that are pinned by a repository's Actions lockfile (`.github/workflows/actions.lock`). It is intended to be populated by the CodeQL Actions extractor and is currently unpopulated, so it has no effect until that support ships. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| extensions: | ||
| - addsTo: | ||
| pack: codeql/actions-all | ||
| extensible: pinnedByLockfileDataModel | ||
| # `pinnedByLockfileDataModel` records `uses:` references that are pinned by the repository's | ||
| # Actions lockfile (`.github/workflows/actions.lock`). It is intended to be populated by the | ||
| # CodeQL Actions extractor, which parses the lockfile at database-creation time using the | ||
| # canonical Go parser at `github.com/github/actions-lockfile/go`. Each row is | ||
| # `[workflow_path, nwo, ref]`: | ||
| # - workflow_path: repo-relative path of the file containing the `uses:` reference | ||
| # - nwo: owner/name of the referenced action (e.g. `actions/checkout`) | ||
| # - ref: the ref as written in `uses:` (e.g. `v4`) | ||
| # | ||
| # Example of the intended shape (commented out; real data is supplied by the extractor): | ||
| # - [".github/workflows/ci.yml", "actions/checkout", "v4"] | ||
| # | ||
| # Until the extractor populates this predicate it stays empty, so the | ||
| # `not pinnedByLockfile(...)` clause in `actions/unpinned-tag` is a no-op and behaviour is | ||
| # unchanged for repositories without a lockfile. | ||
| data: [] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
actions/ql/src/change-notes/2026-07-09-unpinned-tag-lockfile-aware.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * The `actions/unpinned-tag` query no longer reports `uses:` references that are recorded as pinned by a repository's Actions lockfile (`.github/workflows/actions.lock`) via the new `pinnedByLockfileDataModel` extensible predicate. This predicate is populated by the CodeQL Actions extractor and has no effect until that support ships. |
4 changes: 4 additions & 0 deletions
4
actions/ql/src/change-notes/2026-07-09-unpinned-tag-self-reference.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * The `actions/unpinned-tag` query no longer reports `$/` same-repo self-references (e.g. `uses: $/path/to/action`), which are inherently pinned to the running commit, just like `./` local references. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/lockfile_pinned.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| on: | ||
| pull_request | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build and test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # `some-owner/pinned-action@v1` is a tag ref that would normally be reported as an unpinned | ||
| # tag. The test data extension `pinned_by_lockfile.model.yml` records it as pinned by the | ||
| # repository's Actions lockfile, so the `not pinnedByLockfile(...)` clause suppresses it (this | ||
| # fixture is expected to produce no findings). This mirrors what the CodeQL Actions extractor | ||
| # will do by parsing `.github/workflows/actions.lock`. | ||
| # | ||
| # Negative control is provided for free by the many other fixtures in this directory whose tag | ||
| # refs are NOT recorded in the data extension and therefore remain reported. | ||
| - uses: some-owner/pinned-action@v1 |
15 changes: 15 additions & 0 deletions
15
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/self_ref_dollar.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| on: | ||
| pull_request | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build and test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # `$/` is a same-repo self-reference resolved at the running commit. It is inherently | ||
| # pinned (like `./` local refs) and must never be reported as an unpinned tag. | ||
| - uses: $/actions/foo | ||
| # `$/…@ref` is rejected by the `$/` rule, but a user could still write it. It must also | ||
| # never be flagged; this case exercises the `not isSelfReference(nwo)` suppression, since | ||
| # without it `$/actions/foo@v1` would otherwise be reported as an unpinned tag. | ||
| - uses: $/actions/foo@v1 |
10 changes: 10 additions & 0 deletions
10
actions/ql/test/query-tests/Security/CWE-829/pinned_by_lockfile.model.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| extensions: | ||
| - addsTo: | ||
| pack: codeql/actions-all | ||
| extensible: pinnedByLockfileDataModel | ||
| # Test data standing in for what the CodeQL Actions extractor will emit from | ||
| # `.github/workflows/actions.lock`. Records `some-owner/pinned-action@v1` in | ||
| # `lockfile_pinned.yml` as pinned by the lockfile so the `actions/unpinned-tag` | ||
| # query suppresses it. | ||
| data: | ||
| - [".github/workflows/lockfile_pinned.yml", "some-owner/pinned-action", "v1"] |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.