Skip to content

Commit fdc76dd

Browse files
committed
Merge branch 'main' into nth
2 parents 1a6c6a4 + fcb4703 commit fdc76dd

File tree

415 files changed

+9330
-4092
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

415 files changed

+9330
-4092
lines changed

.bazelrc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
1212

1313
build --repo_env=CC=clang --repo_env=CXX=clang++
1414

15+
# print test output, like sembuild does.
16+
# Set to `errors` if this is too verbose.
17+
test --test_output all
1518
# we use transitions that break builds of `...`, so for `test` to work with that we need the following
1619
test --build_tests_only
1720

LICENSE

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
MIT License
22

3-
Copyright (c) 2006-2020 GitHub, Inc.
3+
Copyright (c) 2006-2025 GitHub, Inc.
44

55
Permission is hereby granted, free of charge, to any person obtaining a copy
66
of this software and associated documentation files (the "Software"), to deal

MODULE.bazel

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -58,15 +58,12 @@ register_toolchains("@rust_toolchains//:all")
5858
py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
5959
use_repo(
6060
py_deps,
61-
"vendor__anyhow-1.0.44",
62-
"vendor__cc-1.0.70",
63-
"vendor__clap-2.33.3",
64-
"vendor__regex-1.5.5",
65-
"vendor__smallvec-1.6.1",
66-
"vendor__string-interner-0.12.2",
67-
"vendor__thiserror-1.0.29",
68-
"vendor__tree-sitter-0.20.4",
69-
"vendor__tree-sitter-graph-0.7.0",
61+
"vendor_py__anyhow-1.0.95",
62+
"vendor_py__cc-1.2.14",
63+
"vendor_py__clap-4.5.30",
64+
"vendor_py__regex-1.11.1",
65+
"vendor_py__tree-sitter-0.20.4",
66+
"vendor_py__tree-sitter-graph-0.7.0",
7067
)
7168

7269
# deps for ruby+rust

actions/extractor/BUILD.bazel

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ codeql_pkg_files(
44
name = "extractor",
55
srcs = [
66
"codeql-extractor.yml",
7+
"//:LICENSE",
78
] + glob(["tools/**"]),
89
strip_prefix = strip_prefix.from_pkg(),
910
visibility = ["//actions:__pkg__"],

actions/ql/lib/CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
## 0.4.3
2+
3+
### New Features
4+
5+
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
6+
17
## 0.4.2
28

39
### Bug Fixes
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
---
2-
category: feature
3-
---
4-
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
1+
## 0.4.3
2+
3+
### New Features
4+
5+
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.4.2
2+
lastReleaseVersion: 0.4.3

actions/ql/lib/qlpack.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/actions-all
2-
version: 0.4.3-dev
2+
version: 0.4.4-dev
33
library: true
44
warnOnImplicitThis: true
55
dependencies:

actions/ql/src/CHANGELOG.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,29 @@
1+
## 0.5.0
2+
3+
### Breaking Changes
4+
5+
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
6+
Any existing alerts for these queries will be closed automatically.
7+
* `actions/if-expression-always-true/critical`
8+
* `actions/if-expression-always-true/high`
9+
* `actions/unnecessary-use-of-advanced-config`
10+
11+
* The following query has been moved from the `code-scanning` suite to the `security-extended`
12+
suite. Any existing alerts for this query will be closed automatically unless the analysis is
13+
configured to use the `security-extended` suite.
14+
* `actions/unpinned-tag`
15+
* The following queries have been added to the `security-extended` suite.
16+
* `actions/unversioned-immutable-action`
17+
* `actions/envpath-injection/medium`
18+
* `actions/envvar-injection/medium`
19+
* `actions/code-injection/medium`
20+
* `actions/artifact-poisoning/medium`
21+
* `actions/untrusted-checkout/medium`
22+
23+
### Minor Analysis Improvements
24+
25+
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
26+
127
## 0.4.2
228

329
No user-facing changes.

actions/ql/src/change-notes/2025-02-14-docker-false-positives.md

Lines changed: 0 additions & 5 deletions
This file was deleted.

0 commit comments

Comments
 (0)