Expect external workflows and actions in .github/workflow/external and .github/actions/external

2026-05-05 21:55:19 +02:00 · 2024-12-13 16:49:17 +01:00
parent d0c761bb23
commit 455afc2bb2
12 changed files with 383 additions and 72 deletions
--- a/ql/lib/codeql/actions/Helper.qll
+++ b/ql/lib/codeql/actions/Helper.qll
@@ -50,10 +50,12 @@ string getRepoRoot() {
          .getRelativePath()
          .prefix(w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") + 1) and
    // exclude workflow_enum reusable workflows directory root
-    not result.indexOf(".github/reusable_workflows/") > -1
+    not result.indexOf(".github/workflows/external/") > -1 and
+    not result.indexOf(".github/actions/external/") > -1
    or
    not w.getLocation().getFile().getRelativePath().indexOf("/.github/workflows") > 0 and
-    not w.getLocation().getFile().getRelativePath().indexOf(".github/reusable_workflows") > -1 and
+    not w.getLocation().getFile().getRelativePath().indexOf(".github/workflows/external/") > -1 and
+    not w.getLocation().getFile().getRelativePath().indexOf(".github/actions/external/") > -1 and
    result = ""
  )
 }
--- a/ql/lib/codeql/actions/ast/internal/Ast.qll
+++ b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -425,7 +425,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction {
            .replaceAll(getRepoRoot(), "")
            .replaceAll("/action.yml", "")
            .replaceAll("/action.yaml", "")
-            .replaceAll(".github/reusable_workflows/", "")
+            .replaceAll(".github/actions/external/", "")
  }

  private predicate hasExplicitSecretAccess() {
@@ -550,7 +550,7 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl {
            .getFile()
            .getRelativePath()
            .replaceAll(getRepoRoot(), "")
-            .replaceAll(".github/reusable_workflows/", "")
+            .replaceAll(".github/workflows/external/", "")
  }
 }

--- a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml
+++ b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml
@@ -44,3 +44,4 @@ runs:
        ref: refs/pull/${{ github.event.number }}/merge
        fetch-depth: ${{ inputs.fetch-depth }}

+
--- a/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml
+++ b/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml
@@ -0,0 +1,258 @@
+# Ultralytics Actions 🚀, AGPL-3.0 License https://ultralytics.com/license
+
+name: "Ultralytics Actions"
+author: "Ultralytics"
+description: "Optimize code and docs with official Ultralytics Actions for syntax, spelling, and link checks."
+branding:
+  icon: "code"
+  color: "blue"
+inputs:
+  token:
+    description: "GitHub token"
+    required: true
+  labels:
+    description: "Run issue and PR auto-labeling"
+    required: false
+    default: "false"
+  python:
+    description: "Run Python formatting"
+    required: false
+    default: "false"
+  markdown:
+    description: "Run Markdown formatting (deprecated in favor of prettier)"
+    required: false
+    default: "false"
+  prettier:
+    description: "Run Prettier formatting for JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML"
+    required: false
+    default: "false"
+  swift:
+    description: "Run Swift formatting"
+    required: false
+    default: "false"
+  spelling:
+    description: "Run Spelling checks"
+    required: false
+    default: "false"
+  links:
+    description: "Run Broken Links checks"
+    required: false
+    default: "false"
+  summary:
+    description: "Run PR Summary"
+    required: false
+    default: "false"
+  openai_api_key:
+    description: "OpenAI API Key"
+    required: false
+  openai_model:
+    description: "OpenAI Model"
+    required: false
+    default: "gpt-4o"
+  first_issue_response:
+    description: "Example response to a new issue"
+    required: false
+  first_pr_response:
+    description: "Example response to a new PR"
+    required: false
+  github_username:
+    description: "GitHub username for commits"
+    required: false
+    default: "UltralyticsAssistant"
+  github_email:
+    description: "GitHub email for commits"
+    required: false
+    default: "web@ultralytics.com"
+  body:
+    description: "PR body"
+    required: false
+    default: ""
+runs:
+  using: "composite"
+  steps:
+    - uses: astral-sh/setup-uv@v3
+    - name: Install Dependencies
+      # Note tomli required for codespell with pyproject.toml
+      # For debug:
+      #   python -m pip install --upgrade pip wheel
+      #   pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
+      run: |
+        packages="ultralytics-actions"
+        if [ "${{ inputs.spelling }}" = "true" ]; then
+          packages="$packages codespell tomli"
+        fi
+
+        # On macOS, don't use sudo as it can cause environment issues
+        if [ "$(uname)" = "Darwin" ]; then
+          pip install -q $packages
+        else
+          sudo env "PATH=$PATH" uv pip install --system $packages
+        fi
+
+        ultralytics-actions-info
+      shell: bash
+    - shell: bash
+      run: |
+        echo "${{ inputs.body }}"
+
+    # Checkout Repository ----------------------------------------------------------------------------------------------
+    - name: Checkout Repository
+      if: github.event.action != 'closed'
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+        token: ${{ inputs.token }}
+        ref: ${{ github.head_ref || github.ref }}
+        fetch-depth: 0
+
+    # PR Summary -------------------------------------------------------------------------------------------------------
+    - name: PR Summary
+      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.summary == 'true' && github.event.action != 'synchronize'
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        OPENAI_API_KEY: ${{ inputs.openai_api_key }}
+        OPENAI_MODEL: ${{ inputs.openai_model }}
+      run: |
+        ultralytics-actions-summarize-pr
+      shell: bash
+      continue-on-error: true
+
+    # Python formatting ------------------------------------------------------------------------------------------------
+    # Ignores the following Docs rules to match Google-style docstrings:
+    # D100: Missing docstring in public module
+    # D104: Missing docstring in public package
+    # D203: 1 blank line required before class docstring
+    # D205: 1 blank line required between summary line and description
+    # D212: Multi-line docstring summary should start at the first line
+    # D213: Multi-line docstring summary should start at the second line
+    # D401: First line of docstring should be in imperative mood
+    # D406: Section name should end with a newline
+    # D407: Missing dashed underline after section
+    # D413: Missing blank line after last section
+    # --target-version is Python 3.8 for --extend-select UP (pyupgrade)
+    - name: Run Python
+      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.python == 'true' && github.event.action != 'closed'
+      run: |
+        ruff format \
+        --line-length 120 \
+        . || true
+        ruff check \
+        --fix \
+        --unsafe-fixes \
+        --extend-select I,D,UP \
+        --target-version py38 \
+        --ignore D100,D104,D203,D205,D212,D213,D401,D406,D407,D413 \
+        . || true
+        docformatter \
+        --wrap-summaries 120 \
+        --wrap-descriptions 120 \
+        --pre-summary-newline \
+        --close-quotes-on-newline \
+        --in-place \
+        --recursive \
+        .
+      shell: bash
+      continue-on-error: true
+
+    # Prettier (JavaScript, JSX, Angular, Vue, Flow, TypeScript, CSS, HTML, JSON, GraphQL, Markdown, YAML) -------------
+    - name: Run Prettier
+      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
+      run: |
+        ultralytics-actions-update-markdown-code-blocks
+        npm install --global prettier
+        npx prettier --write "**/*.{js,jsx,ts,tsx,css,less,scss,json,yml,yaml,html,vue,svelte}" '!**/*lock.{json,yaml,yml}' '!**/*.lock' '!**/model.json'
+        # Handle Markdown separately
+        find . -name "*.md" ! -path "*/docs/*" -exec npx prettier --write {} +
+        if [ -d "./docs" ]; then
+          find ./docs -name "*.md" ! -path "*/reference/*" -exec npx prettier --tab-width 4 --write {} +
+        fi
+      shell: bash
+      continue-on-error: true
+
+    # - name: Fix MkDocs reference section changes
+    #   if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && (inputs.prettier == 'true' || inputs.markdown == 'true') && github.event.action != 'closed'
+    #   run: |
+    #     from pathlib import Path
+    #     for file in Path("./docs").rglob('*.md'):
+    #         content = file.read_text()
+    #         updated_content = content.replace(".\_","._")
+    #         file.write_text(updated_content)
+    #   shell: python
+    #   continue-on-error: true
+
+    # Swift formatting -------------------------------------------------------------------------------------------------
+    - name: Run Swift Formatter
+      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.swift == 'true' && github.event.action != 'closed'
+      run: |
+        brew install swift-format
+        swift-format --in-place --recursive .
+      shell: bash
+      continue-on-error: true
+
+    # Spelling ---------------------------------------------------------------------------------------------------------
+    - name: Run Codespell
+      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && inputs.spelling == 'true' && github.event.action != 'closed'
+      run: |
+        codespell \
+          --write-changes \
+          --ignore-words-list "crate,nd,ned,strack,dota,ane,segway,fo,gool,winn,commend,bloc,nam,afterall,skelton,goin" \
+          --skip "*.pt,*.pth,*.torchscript,*.onnx,*.tflite,*.pb,*.bin,*.param,*.mlmodel,*.engine,*.npy,*.data*,*.csv,*pnnx*,*venv*,*translat*,*lock*,__pycache__*,*.ico,*.jpg,*.png,*.mp4,*.mov,/runs,/.git,./docs/??/*.md,./docs/mkdocs_??.yml"
+      shell: bash
+      continue-on-error: true
+
+    # Autolabel Issues and PRs (run before commit changes in case commit fails) ----------------------------------------
+    - name: Autolabel Issues and PRs
+      if: inputs.labels == 'true' && (github.event.action == 'opened' || github.event.action == 'created')
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        FIRST_ISSUE_RESPONSE: ${{ inputs.first_issue_response }}
+        FIRST_PR_RESPONSE: ${{ inputs.first_pr_response }}
+        OPENAI_API_KEY: ${{ inputs.openai_api_key }}
+        OPENAI_MODEL: ${{ inputs.openai_model }}
+      run: |
+        ultralytics-actions-first-interaction
+      shell: bash
+      continue-on-error: true
+
+    # Commit Changes ---------------------------------------------------------------------------------------------------
+    - name: Commit and Push Changes
+      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
+      run: |
+        git config --global user.name "${{ inputs.github_username }}"
+        git config --global user.email "${{ inputs.github_email }}"
+        git pull origin ${{ github.head_ref || github.ref }}
+        git add .
+        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
+        if ! git diff --staged --quiet; then
+          git commit -m "Auto-format by https://ultralytics.com/actions"
+          git push
+        else
+          echo "No changes to commit"
+        fi
+      shell: bash
+      continue-on-error: false
+
+    # Broken links -----------------------------------------------------------------------------------------------------
+    - name: Broken Link Checker
+      if: inputs.links == 'true' && github.event.action != 'closed'
+      uses: lycheeverse/lychee-action@v2.0.2
+      with:
+        # Check all markdown and html files in repo. Ignores the following status codes to reduce false positives:
+        #   - 403(OpenVINO, "forbidden")
+        #   - 429(Instagram, "too many requests")
+        #   - 500(Zenodo, "cached")
+        #   - 502(Zenodo, "bad gateway")
+        #   - 999(LinkedIn, "unknown status code")
+        args: |
+          --scheme https
+          --timeout 60
+          --insecure
+          --accept 403,429,500,502,999
+          --exclude-all-private
+          --exclude "https?://(www\.)?(github\.com|linkedin\.com|twitter\.com|instagram\.com|kaggle\.com|fonts\.gstatic\.com|url\.com)"
+          "./**/*.md"
+          "./**/*.html"
+        token: ${{ inputs.token }}
+        output: ../lychee/results.md
+        fail: true
+      continue-on-error: false
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test29.yml
@@ -0,0 +1,36 @@
+# Ultralytics 🚀 - AGPL-3.0 License https://ultralytics.com/license
+# Ultralytics Actions https://github.com/ultralytics/actions
+# This workflow automatically formats code and documentation in PRs to official Ultralytics standards
+
+name: Ultralytics Actions
+
+on:
+  issues:
+    types: [opened, edited]
+  discussion:
+    types: [created]
+  pull_request_target:
+    branches: [main]
+    types: [opened, closed, synchronize, review_requested]
+
+permissions:
+  contents: write
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Ultralytics Formatting
+        uses: ultralytics/actions@main
+        with:
+          token: ${{ secrets._GITHUB_TOKEN }} # note GITHUB_TOKEN automatically generated
+          labels: true # autolabel issues and PRs
+          python: true # format Python code and docstrings
+          prettier: true # format YAML, JSON, Markdown and CSS
+          spelling: true # check spelling
+          links: false # check broken links
+          summary: true # print PR summary with GPT4o (requires 'openai_api_key')
+          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
+          first_issue_response: "foo"
+          body: ${{ github.event.pull_request.body }}
+
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -8,16 +8,12 @@ edges
 | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance |  |
 | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance |  |
 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
+| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | provenance |  |
 | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance |  |
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
@@ -53,7 +49,7 @@ edges
 | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance |  |
 | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance |  |
 | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance |  |
-| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance |  |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance |  |
 | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance |  |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance |  |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance |  |
@@ -61,6 +57,11 @@ edges
 | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance |  |
 | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance |  |
 | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
 | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance |  |
 | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance |  |
 | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance |  |
@@ -98,7 +99,7 @@ edges
 | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance |  |
 | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance |  |
 | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance |  |
-| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance |  |
 | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance |  |
 | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance |  |
@@ -211,6 +212,7 @@ edges
 | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance |  |
 | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance |  |
+| .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -248,22 +250,15 @@ nodes
 | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | semmle.label | inputs.github_username |
 | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | semmle.label | inputs.github_email |
 | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
+| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | semmle.label | input body |
+| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | semmle.label | inputs.body |
+| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
 | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE |
@@ -336,6 +331,16 @@ nodes
 | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
 | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
 | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
 | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title |
 | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title |
 | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name |
@@ -621,6 +626,7 @@ nodes
 | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
 | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
 | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
+| .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -655,18 +661,15 @@ nodes
 | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 subpaths
 | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] |
-| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
 #select
 | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | .github/workflows/composite-action-caller-1.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment |
 | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment |
 | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test28.yml:12:3:12:21 | pull_request_target | pull_request_target |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | ${{ inputs.body }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target |
+| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | ${{ github.head_ref \|\| github.ref }} | .github/workflows/test29.yml:12:3:12:21 | pull_request_target | pull_request_target |
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | .github/workflows/argus_case_study.yml:4:3:4:8 | issues | issues |
 | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning1.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | .github/workflows/artifactpoisoning2.yml:4:3:4:14 | workflow_run | workflow_run |
@@ -695,6 +698,11 @@ subpaths
 | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment |
 | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment |
 | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} | .github/workflows/image_link_generator.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues |
 | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/issues.yaml:1:5:1:10 | issues | issues |
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -8,16 +8,12 @@ edges
 | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance |  |
 | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance |  |
 | .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
+| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | provenance |  |
 | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance |  |
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
@@ -53,7 +49,7 @@ edges
 | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance |  |
 | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance |  |
 | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance |  |
-| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance |  |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance |  |
 | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance |  |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance |  |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance |  |
@@ -61,6 +57,11 @@ edges
 | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance |  |
 | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance |  |
 | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
 | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance |  |
 | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance |  |
 | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance |  |
@@ -98,7 +99,7 @@ edges
 | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance |  |
 | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance |  |
 | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance |  |
-| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance |  |
 | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance |  |
 | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance |  |
@@ -211,6 +212,7 @@ edges
 | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance |  |
 | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance |  |
+| .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -248,22 +250,15 @@ nodes
 | .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | semmle.label | inputs.github_username |
 | .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | semmle.label | inputs.github_email |
 | .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
+| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | semmle.label | input body |
+| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | semmle.label | inputs.body |
+| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
 | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE |
@@ -336,6 +331,16 @@ nodes
 | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
 | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
 | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
 | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title |
 | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title |
 | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name |
@@ -621,6 +626,7 @@ nodes
 | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
 | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
 | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
+| .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -655,7 +661,7 @@ nodes
 | .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 subpaths
 | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] |
-| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
 #select
 | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml
--- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
+++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -8,9 +8,6 @@ edges
 | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
@@ -85,6 +82,9 @@ edges
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
 | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
 | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
 | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step |
 | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step |
 | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step |
@@ -322,12 +322,12 @@ edges
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
 #select
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |