diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll index 8e36aef408e..bfbc990d671 100644 --- a/ql/lib/codeql/actions/Ast.qll +++ b/ql/lib/codeql/actions/Ast.qll @@ -46,18 +46,39 @@ module Utils { bindingset[var] private string multilineAssignmentRegex(string var) { + // eg: + // echo "PR_TITLE<> $GITHUB_ENV + // echo "$TITLE" >> $GITHUB_ENV + // echo "EOF" >> $GITHUB_ENV result = - ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?.*" } bindingset[var] private string multilineBlockAssignmentRegex(string var) { + // eg: + // { + // echo 'JSON_RESPONSE<> "$GITHUB_ENV" + // echo EOF + // } >> "$GITHUB_ENV" result = - ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + "(\\})?(\"|')?.*" } + bindingset[var] + private string multilineHereDocAssignmentRegex(string var) { + // eg: + // cat <<-EOF >> "$GITHUB_ENV" + // echo "FOO=$TITLE" + // EOF + result = + ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() + + "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*" + } + bindingset[script, var] predicate extractMultilineAssignment(string script, string var, string key, string value) { // multiline assignment @@ -87,6 +108,19 @@ module Utils { .splitAt("\n") + ")" and key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3)) ) + or + // multiline heredoc assignment + exists(string flattenedScript | + flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and + value = + trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3)) + .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() + + "(\\})?(\"|')?", "") + .replaceAll("::NEW_LINE::", "\n") + .trim() + .splitAt("\n") and + key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2)) + ) } bindingset[line] diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 0dc376765a8..6dd9b5d3617 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,3 @@ -private import actions -private import codeql.actions.DataFlow private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery @@ -22,53 +20,17 @@ abstract class RemoteFlowSource extends SourceNode { } bindingset[context] -private predicate isExternalUserControlled(string context) { - exists(string reg | reg = "github\\.event" | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - -bindingset[context] -private predicate isExternalUserControlledIssue(string context) { - exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - -bindingset[context] -private predicate isExternalUserControlledPullRequest(string context) { - exists(string reg | - reg = - [ - "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body", - "github\\.event\\.pull_request\\.head\\.label", - "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.repo\\.description", - "github\\.event\\.pull_request\\.head\\.repo\\.homepage", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref" - ] - | - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) - ) -} - -bindingset[context] -private predicate isExternalUserControlledReview(string context) { - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body")) -} - -bindingset[context] -private predicate isExternalUserControlledComment(string context) { - Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body")) -} - -bindingset[context] -private predicate isExternalUserControlledGollum(string context) { +private predicate titleEvent(string context) { exists(string reg | reg = [ + // title + "github\\.event\\.issue\\.title", // issue + "github\\.event\\.pull_request\\.title", // pull request + "github\\.event\\.discussion\\.title", // discussion "github\\.event\\.pages\\[[0-9]+\\]\\.page_name", - "github\\.event\\.pages\\[[0-9]+\\]\\.title" + "github\\.event\\.pages\\[[0-9]+\\]\\.title", + "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow. ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -76,19 +38,12 @@ private predicate isExternalUserControlledGollum(string context) { } bindingset[context] -private predicate isExternalUserControlledCommit(string context) { +private predicate urlEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message", - "github\\.event\\.head_commit\\.author\\.email", - "github\\.event\\.head_commit\\.author\\.name", - "github\\.event\\.head_commit\\.committer\\.email", - "github\\.event\\.head_commit\\.committer\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", - "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + // url + "github\\.event\\.pull_request\\.head\\.repo\\.homepage", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -96,32 +51,71 @@ private predicate isExternalUserControlledCommit(string context) { } bindingset[context] -private predicate isExternalUserControlledDiscussion(string context) { +private predicate textEvent(string context) { exists(string reg | - reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"] + reg = + [ + // text + "github\\.event\\.issue\\.body", // body + "github\\.event\\.pull_request\\.body", // body + "github\\.event\\.discussion\\.body", // body + "github\\.event\\.review\\.body", // body + "github\\.event\\.comment\\.body", // body + "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage + "github\\.event\\.head_commit\\.message", // message + "github\\.event\\.workflow_run\\.head_commit\\.message", // message + "github\\.event\\.pull_request\\.head\\.repo\\.description", // description + "github\\.event\\.workflow_run\\.head_repository\\.description", // description + "github\\.event\\.client_payload\\[[0-9]+\\]", // payload + "github\\.event\\.client_payload", // payload + "github\\.event\\.inputs\\[[0-9]+\\]", // input + "github\\.event\\.inputs", // input + ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledWorkflowRun(string context) { +private predicate repoNameEvent(string context) { exists(string reg | reg = [ - "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.display_title", + // repo name + // Owner: All characters must be either a hyphen (-) or alphanumeric + // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point + "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name + "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name + "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate branchEvent(string context) { + exists(string reg | + reg = + [ + // branch + // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names + // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock. + // - They must contain at least one / + // - They cannot have two consecutive dots .. anywhere. + // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere. + // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere. + // - They cannot begin or end with a slash / or contain multiple consecutive slashes + // - They cannot end with a dot . + // - They cannot contain a sequence @{ + // - They cannot be the single character @ + // - They cannot contain a \ + // eg: zzz";echo${IFS}"hello";# would be a valid branch name + "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", + "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.head_branch", - "github\\.event\\.workflow_run\\.head_repository\\.description", - "github\\.event\\.workflow_run\\.head_repository\\.full_name", - "github\\.event\\.workflow_run\\.head_repository\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.message", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", - "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", - "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -129,45 +123,115 @@ private predicate isExternalUserControlledWorkflowRun(string context) { } bindingset[context] -private predicate isExternalUserControlledRepositoryDispatch(string context) { +private predicate labelEvent(string context) { exists(string reg | - reg = ["github\\.event\\.client_payload\\[[0-9]+\\]", "github\\.event\\.client_payload",] + reg = + [ + // label + // - They cannot contain a escaping \ + "github\\.event\\.pull_request\\.head\\.label", + ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } bindingset[context] -private predicate isExternalUserControlledWorkflowDispatch(string context) { - exists(string reg | reg = ["github\\.event\\.inputs\\[[0-9]+\\]", "github\\.event\\.inputs",] | +private predicate emailEvent(string context) { + exists(string reg | + reg = + [ + // email + // `echo${IFS}hello`@domain.com + "github\\.event\\.head_commit\\.author\\.email", + "github\\.event\\.head_commit\\.committer\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.email", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email", + ] + | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) ) } -private class EventSource extends RemoteFlowSource { +bindingset[context] +private predicate usernameEvent(string context) { + exists(string reg | + reg = + [ + // username + // All characters must be either a hyphen (-) or alphanumeric + "github\\.event\\.head_commit\\.author\\.name", + "github\\.event\\.head_commit\\.committer\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name", + "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.author\\.name", + "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate pathEvent(string context) { + exists(string reg | + reg = + [ + // filename + "github\\.event\\.workflow\\.path", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +bindingset[context] +private predicate jsonEvent(string context) { + exists(string reg | + reg = + [ + // json + "github\\.event", + ] + | + Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) + ) +} + +class EventSource extends RemoteFlowSource { + string flag; + EventSource() { exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | - isExternalUserControlled(context) or - isExternalUserControlledIssue(context) or - isExternalUserControlledPullRequest(context) or - isExternalUserControlledReview(context) or - isExternalUserControlledComment(context) or - isExternalUserControlledGollum(context) or - isExternalUserControlledCommit(context) or - isExternalUserControlledDiscussion(context) or - isExternalUserControlledWorkflowRun(context) or - isExternalUserControlledRepositoryDispatch(context) or - isExternalUserControlledWorkflowDispatch(context) + titleEvent(context) and flag = "title" + or + urlEvent(context) and flag = "url" + or + textEvent(context) and flag = "text" + or + branchEvent(context) and flag = "branch" + or + labelEvent(context) and flag = "label" + or + emailEvent(context) and flag = "email" + or + usernameEvent(context) and flag = "username" + or + pathEvent(context) and flag = "filename" + or + jsonEvent(context) and flag = "json" ) } - override string getSourceType() { result = "User-controlled events" } + override string getSourceType() { result = flag } } /** * A Source of untrusted data defined in a MaD specification */ -private class ExternallyDefinedSource extends RemoteFlowSource { +class ExternallyDefinedSource extends RemoteFlowSource { string sourceType; ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) } @@ -178,19 +242,19 @@ private class ExternallyDefinedSource extends RemoteFlowSource { /** * An input for a Composite Action */ -private class CompositeActionInputSource extends RemoteFlowSource { +class CompositeActionInputSource extends RemoteFlowSource { CompositeAction c; CompositeActionInputSource() { c.getAnInput() = this.asExpr() } - override string getSourceType() { result = "Composite action input" } + override string getSourceType() { result = "input" } } /** * A downloadeded artifact. */ -private class ArtifactToOptionSource extends RemoteFlowSource { - ArtifactToOptionSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } +private class ArtifactSource extends RemoteFlowSource { + ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep } - override string getSourceType() { result = "Step output from Artifact" } + override string getSourceType() { result = "artifact" } } diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index cdcc1dbdf81..0467a51f4e9 100644 --- a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -7,14 +7,6 @@ import codeql.actions.DataFlow abstract class EnvVarInjectionSink extends DataFlow::Node { } -// predicate envVarInjectionFromEnvVarSink(DataFlow::Node sink) { -// exists(Expression expr, Run run, string varName, string key, string value | -// expr = run.getInScopeEnvVarExpr(varName) and -// Utils::writeToGitHubEnv(run, key, value) and -// expr = sink.asExpr() and -// value.matches("%$" + ["", "{", "ENV{"] + varName + "%") -// ) -// } class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink { EnvVarInjectionFromEnvVarSink() { exists(Run run, Expression expr, string varname, string key, string value | @@ -47,7 +39,10 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink { * that is used to construct and evaluate an environment variable. */ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSource(DataFlow::Node source) { + source instanceof RemoteFlowSource and + not source.(RemoteFlowSource).getSourceType() = "branch" + } predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink } } diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml index 63e99abd4d3..fe3c3e58b5f 100644 --- a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml +++ b/ql/lib/ext/ahmadnassri_action-changed-files.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files", "manual"] - - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"] + - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml index f2b8c8549a9..4d12a293696 100644 --- a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title", "manual"] + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "text", "manual"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml index 21688675a2e..a4539923b35 100644 --- a/ql/lib/ext/cypress-io_github-action.model.yml +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch", "manual"] + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "branch", "manual"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml index f90eaeb7271..472778d33b4 100644 --- a/ql/lib/ext/dawidd6_action-download-artifact.model.yml +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details", "manual"] + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "artifact", "manual"] diff --git a/ql/lib/ext/dorny_paths-filter.model.yml b/ql/lib/ext/dorny_paths-filter.model.yml index 14743f2819e..79621a6a30c 100644 --- a/ql/lib/ext/dorny_paths-filter.model.yml +++ b/ql/lib/ext/dorny_paths-filter.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["dorny/paths-filter", "*", "output.changes", "PR changed files", "manual"] + - ["dorny/paths-filter", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml index ecfce617df4..71d83774231 100644 --- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml +++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "PR body", "manual"] - - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "PR title", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "text", "manual"] + - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "title", "manual"] diff --git a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml index acb5d462d15..062203945c5 100644 --- a/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml +++ b/ql/lib/ext/generated/composite-actions/googlecloudplatform_dataflowtemplates.model.yml @@ -8,4 +8,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "PR changed files", "manual"] + - ["googlecloudplatform/magic-modules", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml index 0d96077345f..9cc02d3b38c 100644 --- a/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml +++ b/ql/lib/ext/generated/reusable-workflows/puppeteer_puppeteer.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "Changed files", "manual"] + - ["puppeteer/puppeteer/.github/workflows/changed-packages.yml", "*", "output.changes", "filename", "manual"] diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/jitterbit_get-changed-files.model.yml index 38253b68934..e74f953a1a1 100644 --- a/ql/lib/ext/jitterbit_get-changed-files.model.yml +++ b/ql/lib/ext/jitterbit_get-changed-files.model.yml @@ -3,10 +3,10 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["jitterbit/get-changed-files", "*", "output.all", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.added", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.modified", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.removed", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.renamed", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.added_modified", "PR changed files", "manual"] - - ["jitterbit/get-changed-files", "*", "output.deleted", "PR changed files", "manual"] + - ["jitterbit/get-changed-files", "*", "output.all", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.removed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.renamed", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.added_modified", "filename", "manual"] + - ["jitterbit/get-changed-files", "*", "output.deleted", "filename", "manual"] diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml index bbfc0bed1df..9a58d9a764f 100644 --- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml +++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] - - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "Comment body", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] + - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "text", "manual"] diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/marocchino_on_artifact.model.yml index 7a556a0f0ec..c8646cffe8e 100644 --- a/ql/lib/ext/marocchino_on_artifact.model.yml +++ b/ql/lib/ext/marocchino_on_artifact.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["marocchino/on_artifact", "*", "output.*", "Downloaded artifact", "manual"] + - ["marocchino/on_artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml index 9b0ec011fd6..a85a4b466e2 100644 --- a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml +++ b/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "Downloaded artifact", "manual"] + - ["redhat-plumbers-in-action/download-artifact", "*", "output.*", "artifact", "manual"] diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/tj-actions_branch-names.model.yml index 753303b0cb3..d98eda4e69f 100644 --- a/ql/lib/ext/tj-actions_branch-names.model.yml +++ b/ql/lib/ext/tj-actions_branch-names.model.yml @@ -4,7 +4,7 @@ extensions: extensible: sourceModel data: # https://github.com/tj-actions/branch-names - - ["tj-actions/branch-names", "*", "output.current_branch", "PR current branch", "manual"] - - ["tj-actions/branch-names", "*", "output.head_ref_branch", "PR head branch", "manual"] - - ["tj-actions/branch-names", "*", "output.ref_branch", "Branch tirggering workflow run", "manual"] + - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"] + - ["tj-actions/branch-names", "*", "output.ref_branch", "branch", "manual"] diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index fb15abce061..60fa0149573 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -3,20 +3,20 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/changed-files", "*", "output.added_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.copied_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.deleted_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.renamed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.type_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.unmerged_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.unknown_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_changed_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.all_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_modified_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.other_deleted_files", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.modified_keys", "PR changed files", "manual"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "PR changed files", "manual"] + - ["tj-actions/changed-files", "*", "output.added_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.copied_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.deleted_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.renamed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_old_new_renamed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.type_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.unmerged_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.unknown_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_and_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_changed_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.all_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_modified_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.other_deleted_files", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.modified_keys", "filename", "manual"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "filename", "manual"] diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml index 8e4938368b8..9dccf6d5e6c 100644 --- a/ql/lib/ext/tj-actions_verify-changed-files.model.yml +++ b/ql/lib/ext/tj-actions_verify-changed-files.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tj-actions/verify-changed-files", "*", "output.changed-files", "PR changed files", "manual"] + - ["tj-actions/verify-changed-files", "*", "output.changed-files", "filename", "manual"] diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/trilom_file-changes-action.model.yml index 61141e5f73b..b8fb2514253 100644 --- a/ql/lib/ext/trilom_file-changes-action.model.yml +++ b/ql/lib/ext/trilom_file-changes-action.model.yml @@ -3,7 +3,7 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["trilom/file-changes-action", "*", "output.files", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_added", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_modified", "PR changed files", "manual"] - - ["trilom/file-changes-action", "*", "output.files_removed", "PR changed files", "manual"] + - ["trilom/file-changes-action", "*", "output.files", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_added", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_modified", "filename", "manual"] + - ["trilom/file-changes-action", "*", "output.files_removed", "filename", "manual"] diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/tzkhan_pr-update-action.model.yml index c80590e4931..499161aafcb 100644 --- a/ql/lib/ext/tzkhan_pr-update-action.model.yml +++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["tzkhan/pr-update-action", "*", "output.headMatch", "", "manual"] + - ["tzkhan/pr-update-action", "*", "output.headMatch", "branch", "manual"] diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/xt0rted_slash-command-action.model.yml index 2a4378d1712..173ecfc4222 100644 --- a/ql/lib/ext/xt0rted_slash-command-action.model.yml +++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml @@ -3,5 +3,5 @@ extensions: pack: githubsecuritylab/actions-all extensible: sourceModel data: - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] - - ["xt0rted/slash-command-action", "*", "output.command-arguments", "", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] + - ["xt0rted/slash-command-action", "*", "output.command-arguments", "text", "manual"] diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 1710768761f..3800ce9e85c 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: githubsecuritylab/actions-all -version: 0.0.18 +version: 0.0.19 dependencies: codeql/util: ^0.2.0 codeql/yaml: ^0.1.2 diff --git a/ql/src/Security/CWE-077/EnvPathInjection.ql b/ql/src/Security/CWE-077/EnvPathInjection.ql index 720b7aed8cc..80d1729b267 100644 --- a/ql/src/Security/CWE-077/EnvPathInjection.ql +++ b/ql/src/Security/CWE-077/EnvPathInjection.ql @@ -20,11 +20,19 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and ( + // sink belongs to a composite action exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or + // sink belongs to a non-privileged job exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() + ) and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) ) select sink.getNode(), source, sink, diff --git a/ql/src/Security/CWE-077/EnvVarInjection.ql b/ql/src/Security/CWE-077/EnvVarInjection.ql index af3f2998cc9..8c251095457 100644 --- a/ql/src/Security/CWE-077/EnvVarInjection.ql +++ b/ql/src/Security/CWE-077/EnvVarInjection.ql @@ -16,16 +16,29 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { + ( + not source.(RemoteFlowSource).getSourceType() = "artifact" + or + source.(RemoteFlowSource).getSourceType() = "artifact" and + sink instanceof EnvVarInjectionFromFileReadSink + ) +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and ( + // sink belongs to a composite action exists(sink.getNode().asExpr().getEnclosingCompositeAction()) or + // sink belongs to a non-privileged job exists(Job j | j = sink.getNode().asExpr().getEnclosingJob() and not j.isPrivileged() - ) + ) and + // exclude paths to file read sinks from non-artifact sources + artifactToFileRead(source.getNode(), sink.getNode()) ) select sink.getNode(), source, sink, "Potential environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql index 3e7c74ab895..a25473fd812 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql @@ -19,9 +19,13 @@ import EnvPathInjectionFlow::PathGraph from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink where EnvPathInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() + // sink belongs to a privileged job + sink.getNode().asExpr().getEnclosingJob().isPrivileged() and + ( + not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" + or + source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and + sink.getNode() instanceof EnvPathInjectionFromFileReadSink ) select sink.getNode(), source, sink, "Potential privileged PATH environment variable injection in $@, which may be controlled by an external user.", diff --git a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql index aac7568e654..5311d9a4de8 100644 --- a/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql +++ b/ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql @@ -16,13 +16,22 @@ import actions import codeql.actions.security.EnvVarInjectionQuery import EnvVarInjectionFlow::PathGraph +predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) { + ( + not source.(RemoteFlowSource).getSourceType() = "artifact" + or + source.(RemoteFlowSource).getSourceType() = "artifact" and + sink instanceof EnvVarInjectionFromFileReadSink + ) +} + from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink where EnvVarInjectionFlow::flowPath(source, sink) and - exists(Job j | - j = sink.getNode().asExpr().getEnclosingJob() and - j.isPrivileged() - ) + // sink belongs to a privileged job + sink.getNode().asExpr().getEnclosingJob().isPrivileged() and + // exclude paths to file read sinks from non-artifact sources + artifactToFileRead(source.getNode(), sink.getNode()) select sink.getNode(), source, sink, "Potential privileged environment variable injection in $@, which may be controlled by an external user.", sink, sink.getNode().toString() diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index 24f07dafe89..c431636c96a 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: githubsecuritylab/actions-queries -version: 0.0.18 +version: 0.0.19 groups: - actions - queries diff --git a/ql/test/library-tests/test.actual b/ql/test/library-tests/test.actual deleted file mode 100644 index ee68d409634..00000000000 --- a/ql/test/library-tests/test.actual +++ /dev/null @@ -1,598 +0,0 @@ -files -| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml | -| .github/workflows/multiline.yml:0:0:0:0 | .github/workflows/multiline.yml | -| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml | -workflows -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/test.yml:1:1:40:53 | on: push | -reusableWorkflows -compositeActions -jobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -localJobs -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -extJobs -steps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -runSteps -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} | -runExprs -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -uses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -stepUses -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -usesArgs -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -runStepChildren -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -parentNodes -| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/multiline.yml:3:17:3:22 | Prev | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:5:9:5:17 | completed | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:14:9:26 | ubuntu-latest | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:25:20:25:21 | | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -cfgNodes -| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment | -| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) | -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:1:1:33:14 | enter on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: | -| .github/workflows/multiline.yml:1:1:33:14 | exit on: (normal) | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:1:1:40:53 | enter on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push | -| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) | -| .github/workflows/test.yml:1:1:40:53 | on: push | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -dfNodes -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -argumentNodes -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | -usesIds -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step | -nodeLocations -| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | -| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | -| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | -| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | -| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | -| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | -| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | -| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | -| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | -| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | -| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | -| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | -| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | -| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | -| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | -| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | -| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | -| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | -| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | -| .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | -| .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | -| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | -| .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | -| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | -| .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | -| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | -| .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | -| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | -| .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | -| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | -| .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | -| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | -| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | -| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 | -| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | -| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | -| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | -| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | -| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | -| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | -| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | -| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | -| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | -| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | -| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | -scopes -| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | -| .github/workflows/multiline.yml:1:1:33:14 | on: | -| .github/workflows/test.yml:1:1:40:53 | on: push | -sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | -| dorny/paths-filter | * | output.changes | PR changed files | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.all | PR changed files | manual | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | -| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | -| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | -| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | -| tj-actions/changed-files | * | output.added_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | -| trilom/file-changes-action | * | output.files | PR changed files | manual | -| trilom/file-changes-action | * | output.files_added | PR changed files | manual | -| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | -| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | -| tzkhan/pr-update-action | * | output.headMatch | | manual | -| xt0rted/slash-command-action | * | output.command-arguments | | manual | -summaries -| akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | -| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | -| apache/incubator-kie-tools | * | input.pnpm_filter_string | output.pnpm_filter_string | taint | manual | -| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint | manual | -| ashley-taylor/read-json-property-action | * | input.json | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint | manual | -| ashley-taylor/regex-property-action | * | input.value | output.value | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint | manual | -| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint | manual | -| aszc/change-string-case-action | * | input.string | output.capitalized | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint | manual | -| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint | manual | -| aws-powertools/powertools-lambda-python | * | input.artifact_name_prefix | output.artifact_name | taint | manual | -| bobheadxi/deployments | * | input.env | output.env | taint | manual | -| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint | manual | -| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint | manual | -| cloudposse/github-action-matrix-outputs-write/.github/workflows/setup-test.yml | * | input.matrix-key | output.result | taint | manual | -| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint | manual | -| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint | manual | -| csexton/release-asset-action | * | input.release-url | output.url | taint | manual | -| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint | manual | -| drawpile/drawpile | * | input.cache_key | output.cache_key | taint | manual | -| drawpile/drawpile | * | input.path | output.path | taint | manual | -| element-hq/element-desktop/.github/workflows/build_prepare.yaml | * | input.deploy | output.deploy | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.check-name | output.check-name | taint | manual | -| envoyproxy/envoy/.github/workflows/_load.yml | * | input.run-id | output.run-id | taint | manual | -| flagsmith/flagsmith | * | input.aws_ecr_repository_arn | output.image | taint | manual | -| frabert/replace-string-action | * | input.replace-with | output.replaced | taint | manual | -| frabert/replace-string-action | * | input.string | output.replaced | taint | manual | -| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint | manual | -| getsentry/action-release | * | input.version | output.version | taint | manual | -| getsentry/action-release | * | input.version_prefix | output.version | taint | manual | -| github/codeql-action | * | input.output | output.sarif-output | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint | manual | -| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint | manual | -| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image | taint | manual | -| hashgraph/hedera-services/.github/workflows/zxc-publish-production-image.yaml | * | input.version | output.docker-image-tag | taint | manual | -| hashicorp/vault | * | input.vault-binary-path | output.vault-binary-path | taint | manual | -| hashicorp/vault | * | input.vault-version | output.vault-version | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-revision | output.testable-containers | taint | manual | -| hashicorp/vault/.github/workflows/build-artifacts-ce.yml | * | input.vault-version-package | output.testable-packages | taint | manual | -| haya14busa/action-cond | * | input.if_false | output.value | taint | manual | -| haya14busa/action-cond | * | input.if_true | output.value | taint | manual | -| hexlet/project-action | * | input.mount-path | env.PWD | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.project | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_name | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.repository | output.repo_url | taint | manual | -| hitobito/hitobito/.github/workflows/stage-settings.yml | * | input.stage | output.release_stage | taint | manual | -| jhipster/generator-jhipster | * | input.skip-workflow | output.skip-workflow | taint | manual | -| jsdaniell/create-json | * | input.dir | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.json | output.successfully | taint | manual | -| jsdaniell/create-json | * | input.name | output.successfully | taint | manual | -| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint | manual | -| kubeshop/botkube/.github/workflows/process-chart.yml | * | input.next-version | output.new-version | taint | manual | -| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint | manual | -| linkerd/linkerd2 | * | input.component | output.image | taint | manual | -| linkerd/linkerd2 | * | input.docker-registry | output.image | taint | manual | -| linkerd/linkerd2 | * | input.tag | output.image | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint | manual | -| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint | manual | -| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint | manual | -| mattdavis0351/actions | * | input.tag | output.imageUrl | taint | manual | -| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint | manual | -| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint | manual | -| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image | taint | manual | -| neondatabase/neon/.github/workflows/build-build-tools-image.yml | * | input.image-tag | output.image-tag | taint | manual | -| novuhq/novu | * | input.docker_name | output.image | taint | manual | -| philosowaffle/peloton-to-garmin | * | input.os | output.artifact_name | taint | manual | -| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint | manual | -| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint | manual | -| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint | manual | -| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint | manual | -| streetsidesoftware/cspell | * | input.value | output.value | taint | manual | -| streetsidesoftware/cspell/.github/workflows/reuseable-load-integrations-repo-list.yml | * | input.ref | output.ref | taint | manual | -| suisei-cn/actions-download-file | * | input.filename | output.filename | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_head_sha | output.pull_request_head_sha | taint | manual | -| tencent/hippy/.github/workflows/reuse_approve_checks_run.yml | * | input.pull_request_number | output.pull_request_number | taint | manual | -| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint | manual | -| timheuer/base64-to-file | * | input.fileName | output.filePath | taint | manual | -| zitadel/zitadel/.github/workflows/container.yml | * | input.build_image_name | output.build_image | taint | manual | -calls -| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout | -| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files | -| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string | -needs -| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | -testNormalizeExpr -| foo['bar'] == baz | foo.bar == baz | -| github.event.pull_request.user["login"] | github.event.pull_request.user.login | -| github.event.pull_request.user['login'] | github.event.pull_request.user.login | -| github.event.pull_request['user']['login'] | github.event.pull_request.user.login | -writeToGitHubEnv -| id1 | $(> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:1:1:40:53 | enter on: push | | .github/workflows/test.yml:1:1:40:53 | exit on: push | @@ -295,37 +306,51 @@ cfgNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | dfNodes | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | @@ -335,11 +360,14 @@ dfNodes | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | argumentNodes | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | @@ -349,28 +377,39 @@ usesIds nodeLocations | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:5:5:21:47 | .github/workflows/expression_nodes.yml@5:5:21:47 | | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 | +| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:14:7:58 | .github/workflows/expression_nodes.yml@7:14:7:58 | | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 | | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 | +| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:14:9:57 | .github/workflows/expression_nodes.yml@8:14:9:57 | | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 | | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 | +| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:14:12:53 | .github/workflows/expression_nodes.yml@10:14:12:53 | | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 | | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 | | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 | +| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:14:15:46 | .github/workflows/expression_nodes.yml@13:14:15:46 | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 | | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 | +| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:14:19:57 | .github/workflows/expression_nodes.yml@16:14:19:57 | | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 | | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 | | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 | | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 | +| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 | | .github/workflows/multiline.yml:9:5:33:14 | Job: Test | .github/workflows/multiline.yml:9:5:33:14 | .github/workflows/multiline.yml@9:5:33:14 | | .github/workflows/multiline.yml:11:9:15:6 | Run Step | .github/workflows/multiline.yml:11:9:15:6 | .github/workflows/multiline.yml@11:9:15:6 | +| .github/workflows/multiline.yml:11:14:14:48 | echo "changelog<> $GITHUB_OUTPUT\necho -e "$FILTERED_CHANGELOG" >> $GITHUB_OUTPUT\necho "CHANGELOGEOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:11:14:14:48 | .github/workflows/multiline.yml@11:14:14:48 | | .github/workflows/multiline.yml:15:9:20:6 | Run Step | .github/workflows/multiline.yml:15:9:20:6 | .github/workflows/multiline.yml@15:9:20:6 | +| .github/workflows/multiline.yml:15:14:19:40 | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none \| base64)\necho "status<<$EOF" >> $GITHUB_OUTPUT\necho "$(cat status.output.json)" >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:15:14:19:40 | .github/workflows/multiline.yml@15:14:19:40 | | .github/workflows/multiline.yml:20:9:24:6 | Run Step | .github/workflows/multiline.yml:20:9:24:6 | .github/workflows/multiline.yml@20:9:24:6 | +| .github/workflows/multiline.yml:20:14:23:40 | echo "response<<$EOF" >> $GITHUB_OUTPUT\necho $output >> $GITHUB_OUTPUT\necho "$EOF" >> $GITHUB_OUTPUT\n | .github/workflows/multiline.yml:20:14:23:40 | .github/workflows/multiline.yml@20:14:23:40 | | .github/workflows/multiline.yml:24:9:30:6 | Run Step | .github/workflows/multiline.yml:24:9:30:6 | .github/workflows/multiline.yml@24:9:30:6 | +| .github/workflows/multiline.yml:24:14:29:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n | .github/workflows/multiline.yml:24:14:29:29 | .github/workflows/multiline.yml@24:14:29:29 | | .github/workflows/multiline.yml:30:9:33:14 | Run Step | .github/workflows/multiline.yml:30:9:33:14 | .github/workflows/multiline.yml@30:9:33:14 | +| .github/workflows/multiline.yml:30:14:33:14 | cat <<-"EOF" > event.json\n ${{ toJson(github.event) }}\nEOF\n | .github/workflows/multiline.yml:30:14:33:14 | .github/workflows/multiline.yml@30:14:33:14 | | .github/workflows/multiline.yml:32:13:32:39 | toJson(github.event) | .github/workflows/multiline.yml:32:13:32:39 | .github/workflows/multiline.yml@32:13:32:39 | | .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:5:5:31:2 | .github/workflows/test.yml@5:5:31:2 | | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 | @@ -380,64 +419,67 @@ nodeLocations | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 | | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 | | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 | +| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 | | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 | | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 | +| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 | | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 | | .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:32:5:40:53 | .github/workflows/test.yml@32:5:40:53 | | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 | +| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 | | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 | scopes | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment | | .github/workflows/multiline.yml:1:1:33:14 | on: | | .github/workflows/test.yml:1:1:40:53 | on: push | sources -| ahmadnassri/action-changed-files | * | output.files | PR changed files | manual | -| ahmadnassri/action-changed-files | * | output.json | PR changed files | manual | -| amannn/action-semantic-pull-request | * | output.error_message | PR title | manual | -| cypress-io/github-action | * | env.GH_BRANCH | PR branch | manual | -| dawidd6/action-download-artifact | * | output.artifacts | Artifact details | manual | -| dorny/paths-filter | * | output.changes | PR changed files | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body | manual | -| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title | manual | -| googlecloudplatform/magic-modules | * | output.changed-files | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added | PR changed files | manual | -| jitterbit/get-changed-files | * | output.added_modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.all | PR changed files | manual | -| jitterbit/get-changed-files | * | output.deleted | PR changed files | manual | -| jitterbit/get-changed-files | * | output.modified | PR changed files | manual | -| jitterbit/get-changed-files | * | output.removed | PR changed files | manual | -| jitterbit/get-changed-files | * | output.renamed | PR changed files | manual | -| khan/pull-request-comment-trigger | * | output.comment_body | Comment body | manual | -| marocchino/on_artifact | * | output.* | Downloaded artifact | manual | -| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | Changed files | manual | -| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact | manual | -| tj-actions/branch-names | * | output.current_branch | PR current branch | manual | -| tj-actions/branch-names | * | output.head_ref_branch | PR head branch | manual | -| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run | manual | -| tj-actions/changed-files | * | output.added_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.changed_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.copied_files | PR changed files | manual | -| tj-actions/changed-files | * | output.deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.modified_keys | PR changed files | manual | -| tj-actions/changed-files | * | output.other_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_deleted_files | PR changed files | manual | -| tj-actions/changed-files | * | output.other_modified_files | PR changed files | manual | -| tj-actions/changed-files | * | output.renamed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.type_changed_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unknown_files | PR changed files | manual | -| tj-actions/changed-files | * | output.unmerged_files | PR changed files | manual | -| tj-actions/verify-changed-files | * | output.changed-files | PR changed files | manual | -| trilom/file-changes-action | * | output.files | PR changed files | manual | -| trilom/file-changes-action | * | output.files_added | PR changed files | manual | -| trilom/file-changes-action | * | output.files_modified | PR changed files | manual | -| trilom/file-changes-action | * | output.files_removed | PR changed files | manual | -| tzkhan/pr-update-action | * | output.headMatch | | manual | -| xt0rted/slash-command-action | * | output.command-arguments | | manual | +| ahmadnassri/action-changed-files | * | output.files | filename | manual | +| ahmadnassri/action-changed-files | * | output.json | json | manual | +| amannn/action-semantic-pull-request | * | output.error_message | text | manual | +| cypress-io/github-action | * | env.GH_BRANCH | branch | manual | +| dawidd6/action-download-artifact | * | output.artifacts | artifact | manual | +| dorny/paths-filter | * | output.changes | filename | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual | +| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual | +| googlecloudplatform/magic-modules | * | output.changed-files | filename | manual | +| jitterbit/get-changed-files | * | output.added | filename | manual | +| jitterbit/get-changed-files | * | output.added_modified | filename | manual | +| jitterbit/get-changed-files | * | output.all | filename | manual | +| jitterbit/get-changed-files | * | output.deleted | filename | manual | +| jitterbit/get-changed-files | * | output.modified | filename | manual | +| jitterbit/get-changed-files | * | output.removed | filename | manual | +| jitterbit/get-changed-files | * | output.renamed | filename | manual | +| khan/pull-request-comment-trigger | * | output.comment_body | text | manual | +| marocchino/on_artifact | * | output.* | artifact | manual | +| puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual | +| redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual | +| tj-actions/branch-names | * | output.current_branch | branch | manual | +| tj-actions/branch-names | * | output.head_ref_branch | branch | manual | +| tj-actions/branch-names | * | output.ref_branch | branch | manual | +| tj-actions/changed-files | * | output.added_files | filename | manual | +| tj-actions/changed-files | * | output.all_changed_and_modified_files | filename | manual | +| tj-actions/changed-files | * | output.all_changed_files | filename | manual | +| tj-actions/changed-files | * | output.all_modified_files | filename | manual | +| tj-actions/changed-files | * | output.all_old_new_renamed_files | filename | manual | +| tj-actions/changed-files | * | output.changed_keys | filename | manual | +| tj-actions/changed-files | * | output.copied_files | filename | manual | +| tj-actions/changed-files | * | output.deleted_files | filename | manual | +| tj-actions/changed-files | * | output.modified_files | filename | manual | +| tj-actions/changed-files | * | output.modified_keys | filename | manual | +| tj-actions/changed-files | * | output.other_changed_files | filename | manual | +| tj-actions/changed-files | * | output.other_deleted_files | filename | manual | +| tj-actions/changed-files | * | output.other_modified_files | filename | manual | +| tj-actions/changed-files | * | output.renamed_files | filename | manual | +| tj-actions/changed-files | * | output.type_changed_files | filename | manual | +| tj-actions/changed-files | * | output.unknown_files | filename | manual | +| tj-actions/changed-files | * | output.unmerged_files | filename | manual | +| tj-actions/verify-changed-files | * | output.changed-files | filename | manual | +| trilom/file-changes-action | * | output.files | filename | manual | +| trilom/file-changes-action | * | output.files_added | filename | manual | +| trilom/file-changes-action | * | output.files_modified | filename | manual | +| trilom/file-changes-action | * | output.files_removed | filename | manual | +| tzkhan/pr-update-action | * | output.headMatch | branch | manual | +| xt0rted/slash-command-action | * | output.command-arguments | text | manual | summaries | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual | | android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint | manual | diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml index c3c94755efd..8ca103cbb6a 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml @@ -9,5 +9,7 @@ jobs: steps: - name: Code Injection, do not report as ENV VAR INJ run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV + - name: Code Injection, do not report as ENV VAR INJ + run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.head.ref }}") >> $GITHUB_ENV diff --git a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml index 733b15fc956..154a8135bad 100644 --- a/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml +++ b/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml @@ -42,8 +42,19 @@ jobs: - env: TITLE: ${{ github.event.pull_request.title }} run: | - cat <<-"EOF" >> "$GITHUB_ENV" + cat <<-EOF >> "$GITHUB_ENV" echo "FOO=$TITLE" EOF + - env: + TITLE: ${{ github.event.pull_request.head.ref }} + run: | + echo "PR_TITLE=$TITLE" >> $GITHUB_ENV + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.head_ref }} + - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV + env: + TARGET_BRANCH: ${{ github.event.pull_request.title }} + diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected index 56345ca896a..241a33146b8 100644 --- a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected @@ -7,6 +7,8 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -25,6 +27,10 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected index 2dfa8702d59..af4b70d3a60 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvPathInjection.expected @@ -22,5 +22,4 @@ subpaths | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | -| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential privileged PATH environment variable injection in $@, which may be controlled by an external user. | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected index f88785c38e1..8c9d923bd35 100644 --- a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected +++ b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected @@ -7,6 +7,8 @@ edges | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | nodes | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step | @@ -25,6 +27,10 @@ nodes | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | +| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | subpaths @@ -37,4 +43,6 @@ subpaths | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | {\n echo 'JSON_RESPONSE<> "$GITHUB_ENV"\n echo EOF\n} >> "$GITHUB_ENV"\n | +| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n echo "FOO=$TITLE"\nEOF\n | +| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |