Merge pull request #27 from GitHubSecurityLab/refactor_astnode

Add Expression nodes and locations
2026-04-30 11:15:13 +02:00 · 2024-03-07 15:36:54 +01:00
parent b3cecfc7e8 96246f4b74
commit 4f7cce9c11
32 changed files with 1251 additions and 753 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 ql/lib/.codeql/
 ql/src/.codeql/
 ql/test/.codeql/
+db/
--- a/ql/lib/codeql/Locations.qll
+++ b/ql/lib/codeql/Locations.qll
@@ -1,6 +1,7 @@
 /** Provides classes for working with locations. */

 import files.FileSystem
+import codeql.actions.Ast

 bindingset[loc]
 pragma[inline_late]
@@ -11,30 +12,57 @@ private string locationToString(Location loc) {
  )
 }

+newtype TLocation =
+  TBaseLocation(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
+    exists(File file |
+      file.getAbsolutePath() = filepath and
+      locations_default(_, file, startline, startcolumn, endline, endcolumn)
+    )
+    or
+    exists(ExpressionNode e |
+      e.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    )
+    or
+    filepath = "" and startline = 0 and startcolumn = 0 and endline = 0 and endcolumn = 0
+  }
+
 /**
 * A location as given by a file, a start line, a start column,
 * an end line, and an end column.
 *
 * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
 */
-class Location extends @location_default {
+class Location extends TLocation, TBaseLocation {
+  string filepath;
+  int startline;
+  int startcolumn;
+  int endline;
+  int endcolumn;
+
+  Location() { this = TBaseLocation(filepath, startline, startcolumn, endline, endcolumn) }
+
  /** Gets the file for this location. */
-  File getFile() { locations_default(this, result, _, _, _, _) }
+  File getFile() {
+    exists(File file |
+      file.getAbsolutePath() = filepath and
+      result = file
+    )
+  }

  /** Gets the 1-based line number (inclusive) where this location starts. */
-  int getStartLine() { locations_default(this, _, result, _, _, _) }
+  int getStartLine() { result = startline }

  /** Gets the 1-based column number (inclusive) where this location starts. */
-  int getStartColumn() { locations_default(this, _, _, result, _, _) }
+  int getStartColumn() { result = startcolumn }

-  /** Gets the 1-based line number (inclusive) where this location ends. */
-  int getEndLine() { locations_default(this, _, _, _, result, _) }
+  /** Gets the 1-based line number (inclusive) where this.getLocationDefault() location ends. */
+  int getEndLine() { result = endline }

-  /** Gets the 1-based column number (inclusive) where this location ends. */
-  int getEndColumn() { locations_default(this, _, _, _, _, result) }
+  /** Gets the 1-based column number (inclusive) where this.getLocationDefault() location ends. */
+  int getEndColumn() { result = endcolumn }

  /** Gets the number of lines covered by this location. */
-  int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 }
+  int getNumLines() { result = endline - startline + 1 }

  /** Gets a textual representation of this element. */
  pragma[inline]
@@ -47,13 +75,12 @@ class Location extends @location_default {
   * For more information, see
   * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    exists(File f |
-      locations_default(this, f, startline, startcolumn, endline, endcolumn) and
-      filepath = f.getAbsolutePath()
-    )
+  predicate hasLocationInfo(string p, int sl, int sc, int el, int ec) {
+    p = filepath and
+    sl = startline and
+    sc = startcolumn and
+    el = endline and
+    ec = endcolumn
  }

  /** Holds if this location starts strictly before the specified location. */
--- a/ql/lib/codeql/actions/Ast.qll
+++ b/ql/lib/codeql/actions/Ast.qll
@@ -1,19 +1,24 @@
 private import codeql.actions.ast.internal.Yaml
 private import codeql.Locations

-/**
- * Base class for the AST tree. Based on YamlNode from the Yaml library.
- */
-class AstNode instanceof YamlNode {
-  AstNode getParentNode() { result = super.getParentNode() }
+newtype TAstNode =
+  TWorflowNode(YamlNode n) or
+  TExpressionNode(StringValue n, string expression, int exprOffset) {
+    expression = getASimpleReferenceExpression(n, exprOffset)
+  }

-  AstNode getAChildNode() { result = super.getAChildNode() }
+class AstNode extends TAstNode {
+  abstract AstNode getAChildNode();

-  string toString() { result = super.toString() }
+  abstract AstNode getParentNode();

-  string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() }
+  abstract string getAPrimaryQlClass();

-  Location getLocation() { result = super.getLocation() }
+  abstract string toString();
+
+  abstract Location getLocation();
+
+  abstract File getFile();

  /**
   * Gets the enclosing workflow statement.
@@ -23,8 +28,11 @@ class AstNode instanceof YamlNode {
  /**
   * Gets a environment variable expression by name in the scope of the current node.
   */
-  StringLiteral getEnvVar(string name) {
-    exists(Env env | env.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result) |
+  ExpressionNode getInScopeEnvVarExpr(string name) {
+    exists(StringValue l, Env env |
+      env.asYamlMapping().maps(any(YamlScalar s | s.getValue() = name), l.asYamlNode()) and
+      l.getAnExpression() = result
+    |
      env.(StepEnv).getStep().getAChildNode*() = this
      or
      env.(JobEnv).getJob().getAChildNode*() = this
@@ -34,14 +42,174 @@ class AstNode instanceof YamlNode {
  }
 }

+class ExpressionNode extends AstNode, TExpressionNode {
+  StringValue n;
+  string rawExpression;
+  string expression;
+  int exprOffset;
+
+  ExpressionNode() {
+    this = TExpressionNode(n, rawExpression, exprOffset - 1) and
+    expression =
+      rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1)
+  }
+
+  override string toString() { result = expression }
+
+  override AstNode getAChildNode() { none() }
+
+  override AstNode getParentNode() { result = n }
+
+  override string getAPrimaryQlClass() { result = "ExpressionNode" }
+
+  string getExpression() { result = expression }
+
+  string getRawExpression() { result = rawExpression }
+
+  Job getJob() { result.getAChildNode*() = n }
+
+  int lineLength(int idx) {
+    exists(string line | line = n.getValue().splitAt("\n", idx) and result = line.length() + 1)
+  }
+
+  bindingset[i]
+  int unboundPartialLineLengthSum(int i) {
+    result = sum(int j, int length | j in [0 .. i] and length = this.lineLength(j) | length)
+  }
+
+  int partialLineLengthSum(int i) {
+    i in [0 .. count(n.getValue().splitAt("\n"))] and
+    result = this.unboundPartialLineLengthSum(i)
+  }
+
+  predicate expressionOffsets(int sl, int sc, int el, int ec) {
+    exists(int lineDiff, string style, Location loc |
+      loc = n.asYamlNode().getLocation() and
+      lineDiff = loc.getEndLine() - loc.getStartLine() and
+      style = n.asYamlNode().(YamlString).getStyle()
+    |
+      // eg:
+      //  - run: echo "hello"
+      //  - run: 'echo "hello"'
+      //  - run: "echo 'hello'"
+      style = ["", "\"", "'"] and
+      lineDiff = 0 and
+      sl = loc.getStartLine() and
+      el = sl and
+      sc = loc.getStartColumn() + exprOffset and
+      ec = sc + rawExpression.length() - 1
+      or
+      // eg:
+      //  - run: "echo 'hello'
+      //      echo 'hello'"
+      //  - run: "echo 'hello'
+      //     echo 'hello'
+      //     echo 'hello'"
+      style = ["", "\"", "'"] and
+      lineDiff > 0 and
+      sl = loc.getStartLine() and
+      el = loc.getEndLine() and
+      sc = loc.getStartColumn() and
+      ec = loc.getEndColumn()
+      or
+      // eg:
+      //  - run: |
+      //      echo "hello"
+      //  - run: |
+      //      echo "hello"
+      //      echo "bye"
+      style = "|" and
+      exists(int r |
+        (
+          r > 0 and
+          this.partialLineLengthSum(r - 1) < exprOffset and
+          this.partialLineLengthSum(r) >= exprOffset and
+          sl = loc.getStartLine() + r + 1 and
+          el = sl and
+          sc =
+            n.getKeyNode().getLocation().getStartColumn() + exprOffset -
+                  this.partialLineLengthSum(r - 1) + 2 - 1 and
+          ec = sc + rawExpression.length() - 1
+          or
+          r = 0 and
+          this.partialLineLengthSum(r) > exprOffset and
+          sl = loc.getStartLine() + r + 1 and
+          el = sl and
+          sc = n.getKeyNode().getLocation().getStartColumn() + 2 + exprOffset and
+          ec = sc + rawExpression.length() - 1
+        )
+      )
+      or
+      // eg:
+      //  - run: >
+      //      echo "hello"
+      //  - run: >
+      //      echo "hello"
+      //      echo "hello"
+      style = ">" and
+      sl = loc.getStartLine() + 1 and
+      el = loc.getEndLine() and
+      sc = n.getKeyNode().getLocation().getStartColumn() and
+      ec = loc.getEndColumn()
+    )
+  }
+
+  override Location getLocation() {
+    exists(Location loc |
+      this.hasLocationInfo(loc.getFile().getAbsolutePath(), loc.getStartLine(),
+        loc.getStartColumn(), loc.getEndLine(), loc.getEndColumn()) and
+      result = loc
+    )
+  }
+
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    path = n.asYamlNode().getFile().getAbsolutePath() and
+    this.expressionOffsets(sl, sc, el, ec)
+  }
+
+  override File getFile() { result = n.asYamlNode().getFile() }
+}
+
+/**
+ * Base class for the AST tree. Based on YamlNode from the Yaml library.
+ */
+class WorkflowNode extends AstNode, TWorflowNode {
+  YamlNode n;
+
+  WorkflowNode() { this = TWorflowNode(n) }
+
+  override AstNode getParentNode() { result = TWorflowNode(n.getParentNode()) }
+
+  override AstNode getAChildNode() {
+    result = TWorflowNode(n.getAChildNode())
+    or
+    exists(ExpressionNode e | e.getParentNode() = this | result = e)
+  }
+
+  override string getAPrimaryQlClass() { result = n.getAPrimaryQlClass() }
+
+  override Location getLocation() { result = n.getLocation() }
+
+  override File getFile() { result = n.getFile() }
+
+  YamlNode asYamlNode() { result = n }
+
+  YamlMapping asYamlMapping() { result = n }
+
+  override string toString() { result = n.toString() }
+}
+
 /** A common class for `env` in workflow, job or step. */
-abstract class Env extends AstNode instanceof YamlMapping { }
+abstract class Env extends WorkflowNode { }

 /** A workflow level `env` mapping. */
 class WorkflowEnv extends Env {
  Workflow workflow;

-  WorkflowEnv() { workflow.(YamlMapping).lookup("env") = this }
+  WorkflowEnv() {
+    n instanceof YamlMapping and
+    workflow.asYamlMapping().lookup("env") = this.asYamlNode()
+  }

  /** Gets the workflow this field belongs to. */
  Workflow getWorkflow() { result = workflow }
@@ -51,7 +219,7 @@ class WorkflowEnv extends Env {
 class JobEnv extends Env {
  Job job;

-  JobEnv() { job.(YamlMapping).lookup("env") = this }
+  JobEnv() { job.asYamlMapping().lookup("env") = this.asYamlNode() }

  /** Gets the job this field belongs to. */
  Job getJob() { result = job }
@@ -61,7 +229,7 @@ class JobEnv extends Env {
 class StepEnv extends Env {
  Step step;

-  StepEnv() { step.(YamlMapping).lookup("env") = this }
+  StepEnv() { step.asYamlMapping().lookup("env") = this.asYamlNode() }

  /** Gets the step this field belongs to. */
  Step getStep() { result = step }
@@ -71,27 +239,32 @@ class StepEnv extends Env {
 * A custom composite action. This is a mapping at the top level of an Actions YAML action file.
 * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions.
 */
-class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping {
-  //class CompositeAction extends AstNode, YamlDocument, YamlMapping {
+class CompositeAction extends WorkflowNode {
+  //class CompositeAction extends WorkflowNode, YamlDocument, YamlMapping {
  CompositeAction() {
+    n instanceof YamlDocument and
+    n instanceof YamlMapping and
    this.getFile().getBaseName() = ["action.yml", "action.yaml"] and
-    super.lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() = "composite"
+    this.asYamlMapping().lookup("runs").(YamlMapping).lookup("using").(YamlScalar).getValue() =
+      "composite"
  }

  /** Gets the `runs` mapping. */
-  Runs getRuns() { result = super.lookup("runs") }
+  Runs getRuns() { result.asYamlNode() = this.asYamlMapping().lookup("runs") }

-  Outputs getOutputs() { result = super.lookup("outputs") }
+  Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") }

-  StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() }
+  ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() }

-  StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) }
+  ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) }

-  Input getAnInput() { super.lookup("inputs").(YamlMapping).maps(result, _) }
+  Input getAnInput() {
+    this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _)
+  }

  Input getInput(string name) {
-    super.lookup("inputs").(YamlMapping).maps(result, _) and
-    result.(YamlString).getValue() = name
+    this.asYamlMapping().lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and
+    result.asYamlNode().(YamlString).getValue() = name
  }
 }

@@ -99,34 +272,43 @@ class CompositeAction extends AstNode instanceof YamlDocument, YamlMapping {
 * An `runs` mapping in a custom composite action YAML.
 * See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs
 */
-class Runs extends AstNode instanceof YamlMapping {
+class Runs extends WorkflowNode {
  CompositeAction action;

-  Runs() { action.(YamlMapping).lookup("runs") = this }
+  Runs() {
+    n instanceof YamlMapping and
+    action.asYamlMapping().lookup("runs") = this.asYamlNode()
+  }

  /** Gets the action that this `runs` mapping is in. */
  CompositeAction getAction() { result = action }

  /** Gets any steps that are defined within this job. */
-  Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) }
+  Step getAStep() {
+    result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_)
+  }

  /** Gets the step at the given index within this job. */
-  Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) }
+  Step getStep(int i) {
+    result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i)
+  }
 }

 /**
 * An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file.
 * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.
 */
-class Workflow extends AstNode instanceof YamlDocument, YamlMapping {
+class Workflow extends WorkflowNode {
+  Workflow() { n instanceof YamlDocument and n instanceof YamlMapping }
+
  /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */
-  YamlMapping getJobs() { result = super.lookup("jobs") }
+  YamlMapping getJobs() { result = this.asYamlMapping().lookup("jobs") }

  /** Gets the 'global' `env` mapping in this workflow. */
-  WorkflowEnv getEnv() { result = super.lookup("env") }
+  WorkflowEnv getEnv() { result.asYamlNode() = this.asYamlMapping().lookup("env") }

  /** Gets the name of the workflow. */
-  string getName() { result = super.lookup("name").(YamlString).getValue() }
+  string getName() { result = this.asYamlMapping().lookup("name").(YamlString).getValue() }

  /** Gets the job within this workflow with the given job ID. */
  Job getJob(string jobId) { result.getWorkflow() = this and result.getId() = jobId }
@@ -135,118 +317,131 @@ class Workflow extends AstNode instanceof YamlDocument, YamlMapping {
  Job getAJob() { result = this.getJob(_) }

  predicate hasTriggerEvent(string trigger) {
-    exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(trigger))
+    exists(YamlNode y |
+      y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(trigger)
+    )
  }

  string getATriggerEvent() {
-    exists(YamlNode n | n = super.lookup("on").(YamlMappingLikeNode).getNode(result))
+    exists(YamlNode y | y = this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode(result))
  }

-  Permissions getPermissions() { result = super.lookup("permissions") }
+  Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") }

-  Strategy getStrategy() { result = super.lookup("strategy") }
+  Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") }
 }

-class ReusableWorkflow extends Workflow instanceof YamlMapping {
+class ReusableWorkflow extends Workflow {
  YamlValue workflow_call;

  ReusableWorkflow() {
-    super.lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call
+    n instanceof YamlMapping and
+    this.asYamlMapping().lookup("on").(YamlMappingLikeNode).getNode("workflow_call") = workflow_call
  }

-  Outputs getOutputs() { result = workflow_call.(YamlMapping).lookup("outputs") }
+  Outputs getOutputs() { result.asYamlNode() = workflow_call.(YamlMapping).lookup("outputs") }

-  StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() }
+  ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() }

-  StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) }
+  ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) }

-  Input getAnInput() { workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) }
+  Input getAnInput() {
+    workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _)
+  }

  Input getInput(string name) {
-    workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result, _) and
-    result.(YamlString).getValue() = name
+    workflow_call.(YamlMapping).lookup("inputs").(YamlMapping).maps(result.asYamlNode(), _) and
+    result.asYamlNode().(YamlString).getValue() = name
  }
 }

-class Input extends AstNode {
+class Input extends WorkflowNode {
  YamlMapping parent;

-  Input() { parent.lookup("inputs").(YamlMapping).maps(this, _) }
+  Input() { parent.lookup("inputs").(YamlMapping).maps(this.asYamlNode(), _) }
 }

-class Outputs extends AstNode instanceof YamlMapping {
+class Outputs extends WorkflowNode {
  YamlMapping parent;

-  Outputs() { parent.lookup("outputs") = this }
+  Outputs() {
+    n instanceof YamlMapping and
+    parent.lookup("outputs") = this.asYamlNode()
+  }

  /**
   * Gets an output expression.
   */
-  StringLiteral getAnOutput() {
-    super.lookup(_).(YamlMapping).lookup("value") = result or
-    super.lookup(_) = result
-  }
+  ExpressionNode getAnOutputExpr() { result = this.getOutputExpr(_) }

  /**
   * Gets a specific output expression by name.
   */
-  StringLiteral getOutput(string name) {
-    super.lookup(name).(YamlMapping).lookup("value") = result or
-    super.lookup(name) = result
+  ExpressionNode getOutputExpr(string name) {
+    exists(StringValue l |
+      l.getAnExpression() = result and
+      (
+        this.asYamlMapping().lookup(name).(YamlMapping).lookup("value") = l.asYamlNode() or
+        this.asYamlMapping().lookup(name) = l.asYamlNode()
+      )
+    )
  }

-  string getAnOutputName() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _) }
+  string getAnOutputName() {
+    this.asYamlMapping().maps(any(YamlString s | s.getValue() = result), _)
+  }

  override string toString() { result = "Job outputs node" }
 }

-class Permissions extends AstNode instanceof YamlMapping {
+class Permissions extends WorkflowNode {
  YamlMapping parent;

-  Permissions() { parent.lookup("permissions") = this }
+  Permissions() {
+    n instanceof YamlMapping and
+    parent.lookup("permissions") = this.asYamlNode()
+  }
 }

-class Strategy extends AstNode instanceof YamlMapping {
+class Strategy extends WorkflowNode {
  YamlMapping parent;

-  Strategy() { parent.lookup("strategy") = this }
-
-  /**
-   * Gets a specific matric expression (YamlMapping) by name.
-   */
-  StringLiteral getMatrixVar(string name) {
-    super.lookup("matrix").(YamlMapping).lookup(name) = result
+  Strategy() {
+    n instanceof YamlMapping and
+    parent.lookup("strategy") = this.asYamlNode()
  }

  /**
   * Gets a specific matric expression (YamlMapping) by name.
   */
-  StringLiteral getAMatrixVar() { super.lookup("matrix").(YamlMapping).lookup(_) = result }
+  StringValue getMatrixVar(string name) {
+    this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(name) = result.asYamlNode()
+  }
+
+  /**
+   * Gets a specific matric expression (YamlMapping) by name.
+   */
+  StringValue getAMatrixVar() {
+    this.asYamlMapping().lookup("matrix").(YamlMapping).lookup(_) = result.asYamlNode()
+  }
 }

 /**
 * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds
 */
-class Needs extends AstNode instanceof YamlMappingLikeNode {
+class Needs extends WorkflowNode {
  Job job;

-  Needs() { job.(YamlMapping).lookup("needs") = this }
+  Needs() {
+    n instanceof YamlMappingLikeNode and
+    job.asYamlMapping().lookup("needs") = this.asYamlNode()
+  }

  Job getJob() { result = job }

  Job getANeededJob() {
-    result.getId() = super.getNode(_).(YamlString).getValue() and
-    result.getLocation().getFile() = job.getLocation().getFile()
-    // if this instanceof YamlString
-    // then
-    //   result.getId() = this.(YamlString).getValue() and
-    //   result.getLocation().getFile() = job.getLocation().getFile()
-    // else
-    //   if this instanceof YamlSequence
-    //   then
-    //     result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and
-    //     result.getLocation().getFile() = job.getLocation().getFile()
-    //   else none()
+    result.getId() = this.asYamlNode().(YamlMappingLikeNode).getNode(_).(YamlString).getValue() and
+    result.getFile() = job.getFile()
  }
 }

@@ -254,11 +449,14 @@ class Needs extends AstNode instanceof YamlMappingLikeNode {
 * An Actions job within a workflow.
 * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs.
 */
-class Job extends AstNode instanceof YamlMapping {
+class Job extends WorkflowNode {
  string jobId;
  Workflow workflow;

-  Job() { this = workflow.getJobs().lookup(jobId) }
+  Job() {
+    n instanceof YamlMapping and
+    this.asYamlNode() = workflow.getJobs().lookup(jobId)
+  }

  /**
   * Gets the ID of this job, as a string.
@@ -267,10 +465,14 @@ class Job extends AstNode instanceof YamlMapping {
  string getId() { result = jobId }

  /** Gets any steps that are defined within this job. */
-  Step getAStep() { result = super.lookup("steps").(YamlSequence).getElementNode(_) }
+  Step getAStep() {
+    result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(_)
+  }

  /** Gets the step at the given index within this job. */
-  Step getStep(int i) { result = super.lookup("steps").(YamlSequence).getElementNode(i) }
+  Step getStep(int i) {
+    result.asYamlNode() = this.asYamlMapping().lookup("steps").(YamlSequence).getElementNode(i)
+  }

  /** Gets the workflow this job belongs to. */
  Workflow getWorkflow() { result = workflow }
@@ -293,11 +495,11 @@ class Job extends AstNode instanceof YamlMapping {
   *   out1: ${steps.foo.bar}
   *   out2: ${steps.foo.baz}
   */
-  Outputs getOutputs() { result = super.lookup("outputs") }
+  Outputs getOutputs() { result.asYamlNode() = this.asYamlMapping().lookup("outputs") }

-  StringLiteral getAnOutput() { result = this.getOutputs().getAnOutput() }
+  ExpressionNode getAnOutputExpr() { result = this.getOutputs().getAnOutputExpr() }

-  StringLiteral getOutput(string name) { result = this.getOutputs().getOutput(name) }
+  ExpressionNode getOutputExpr(string name) { result = this.getOutputs().getOutputExpr(name) }

  /**
   * Reusable workflow jobs may have Uses children
@@ -310,14 +512,14 @@ class Job extends AstNode instanceof YamlMapping {
  UsesJob getUses() { result.getJob() = this }

  predicate usesReusableWorkflow() {
-    this.(YamlMapping).maps(any(YamlString s | s.getValue() = "uses"), _)
+    this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _)
  }

-  If getIf() { result = super.lookup("if") }
+  If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") }

-  Permissions getPermissions() { result = super.lookup("permissions") }
+  Permissions getPermissions() { result.asYamlNode() = this.asYamlMapping().lookup("permissions") }

-  Strategy getStrategy() { result = super.lookup("strategy") }
+  Strategy getStrategy() { result.asYamlNode() = this.asYamlMapping().lookup("strategy") }

  override string toString() { result = "Job: " + jobId }
 }
@@ -326,46 +528,46 @@ class Job extends AstNode instanceof YamlMapping {
 * A step within an Actions job.
 * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps.
 */
-class Step extends AstNode instanceof YamlMapping {
+class Step extends WorkflowNode {
  YamlMapping parent;

-  Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this }
+  Step() { parent.lookup("steps").(YamlSequence).getElementNode(_) = this.asYamlNode() }

  /** Gets the ID of this step, if any. */
-  string getId() { result = super.lookup("id").(YamlString).getValue() }
+  string getId() { result = this.asYamlMapping().lookup("id").(YamlString).getValue() }

  /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom composite action. */
-  Job getJob() { result = parent }
+  Job getJob() { result.asYamlNode() = parent }

  /** Gets the value of the `if` field in this step, if any. */
-  If getIf() { result = super.lookup("if") }
+  If getIf() { result.asYamlNode() = this.asYamlMapping().lookup("if") }
 }

 /**
 * An If node representing a conditional statement.
 */
-class If extends AstNode {
-  YamlMapping parent;
+class If extends WorkflowNode {
+  WorkflowNode parent;

  If() {
    (parent instanceof Step or parent instanceof Job) and
-    parent.lookup("if") = this
+    parent.asYamlMapping().lookup("if") = this.asYamlNode()
  }

-  AstNode getEnclosingNode() { result = parent }
+  WorkflowNode getEnclosingNode() { result = parent }

-  string getCondition() { result = this.(YamlScalar).getValue() }
+  string getCondition() { result = this.asYamlNode().(YamlScalar).getValue() }
 }

 /**
 * Abstract class representing a call to a 3rd party action or reusable workflow.
 */
-abstract class Uses extends AstNode {
+abstract class Uses extends WorkflowNode {
  abstract string getCallee();

  abstract string getVersion();

-  abstract StringLiteral getArgument(string key);
+  abstract ExpressionNode getArgumentExpr(string key);

  override string toString() { result = "Uses Step" }
 }
@@ -385,7 +587,7 @@ private string usesParser() { result = "([^/]+)/([^/@]+)@(.+)" }
 class UsesStep extends Step, Uses {
  YamlScalar uses;

-  UsesStep() { this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = "uses"), uses) }
+  UsesStep() { this.asYamlMapping().maps(any(YamlScalar s | s.getValue() = "uses"), uses) }

  /** Gets the owner and name of the repository where the Action comes from, e.g. `actions/checkout` in `actions/checkout@v2`. */
  override string getCallee() {
@@ -399,8 +601,11 @@ class UsesStep extends Step, Uses {
  /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */
  override string getVersion() { result = uses.getValue().regexpCapture(usesParser(), 3) }

-  override StringLiteral getArgument(string key) {
-    result = this.(YamlMapping).lookup("with").(YamlMapping).lookup(key)
+  override Expression getArgumentExpr(string key) {
+    exists(StringValue l |
+      l.asYamlNode() = this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) and
+      result = l.getAnExpression()
+    )
  }

  override string toString() {
@@ -411,8 +616,11 @@ class UsesStep extends Step, Uses {
 /**
 * A Uses step represents a call to an action that is defined in a GitHub repository.
 */
-class UsesJob extends Uses instanceof YamlMapping {
-  UsesJob() { this instanceof Job and this.maps(any(YamlString s | s.getValue() = "uses"), _) }
+class UsesJob extends Uses {
+  UsesJob() {
+    this instanceof Job and
+    this.asYamlMapping().maps(any(YamlString s | s.getValue() = "uses"), _)
+  }

  Job getJob() { result = this }

@@ -428,7 +636,7 @@ class UsesJob extends Uses instanceof YamlMapping {

  override string getCallee() {
    exists(YamlString name |
-      super.lookup("uses") = name and
+      this.asYamlMapping().lookup("uses") = name and
      if name.getValue().matches("./%")
      then result = name.getValue().regexpCapture(this.pathUsesParser(), 1)
      else
@@ -442,15 +650,18 @@ class UsesJob extends Uses instanceof YamlMapping {
  /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */
  override string getVersion() {
    exists(YamlString name |
-      super.lookup("uses") = name and
+      this.asYamlMapping().lookup("uses") = name and
      if not name.getValue().matches("\\.%")
      then result = name.getValue().regexpCapture(this.repoUsesParser(), 4)
      else none()
    )
  }

-  override StringLiteral getArgument(string key) {
-    super.lookup("with").(YamlMapping).lookup(key) = result
+  override ExpressionNode getArgumentExpr(string key) {
+    exists(StringValue l |
+      this.asYamlMapping().lookup("with").(YamlMapping).lookup(key) = l.asYamlNode() and
+      result = l.getAnExpression()
+    )
  }
 }

@@ -459,11 +670,11 @@ class UsesJob extends Uses instanceof YamlMapping {
 * See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun.
 */
 class Run extends Step {
-  StringLiteral script;
+  StringValue script;

-  Run() { this.(YamlMapping).maps(any(YamlString s | s.getValue() = "run"), script) }
+  Run() { this.asYamlMapping().maps(any(YamlString s | s.getValue() = "run"), script.asYamlNode()) }

-  StringLiteral getScript() { result = script }
+  StringValue getScript() { result = script }

  override string toString() {
    if exists(this.getId()) then result = "Run Step: " + this.getId() else result = "Run Step"
@@ -473,18 +684,29 @@ class Run extends Step {
 /**
 * A YamlString part of a YamlSequence or YamlMapping values.
 */
-class StringLiteral extends AstNode instanceof YamlString {
-  StringLiteral() {
+class StringValue extends WorkflowNode {
+  YamlNode keyNode;
+
+  StringValue() {
+    n instanceof YamlString and
    exists(YamlCollection c |
-      c instanceof YamlMapping and
-      c.(YamlMapping).maps(_, this)
-      or
-      c instanceof YamlSequence and
-      c.(YamlSequence).getElementNode(_) = this
+      c = keyNode and
+      (
+        c instanceof YamlMapping and
+        //c.(YamlMapping).maps(_, this.asYamlNode())
+        exists(int i | this.asYamlNode() = c.(YamlMapping).getValueNode(i))
+        or
+        c instanceof YamlSequence and
+        c.(YamlSequence).getElementNode(_) = this.asYamlNode()
+      )
    )
  }

-  string getValue() { result = this.(YamlString).getValue() }
+  string getValue() { result = this.asYamlNode().(YamlString).getValue() }
+
+  YamlNode getKeyNode() { result = keyNode }
+
+  ExpressionNode getAnExpression() { result = this.getAChildNode() }
 }

 /**
@@ -493,27 +715,16 @@ class StringLiteral extends AstNode instanceof YamlString {
 * Only finds simple expressions like `${{ github.event.comment.body }}`, where the expression contains only alphanumeric characters, underscores, dots, or dashes.
 * Does not identify more complicated expressions like `${{ fromJSON(env.time) }}`, or ${{ format('{{Hello {0}!}}', github.event.head_commit.author.name) }}
 */
-string getASimpleReferenceExpression(YamlString node) {
+string getASimpleReferenceExpression(StringValue node, int offset) {
  // We use `regexpFind` to obtain *all* matches of `${{...}}`,
  // not just the last (greedy match) or first (reluctant match).
  result =
    node.getValue()
-        .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _)
-        .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1)
+        .regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, offset)
+        .regexpCapture("(\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+\\s*\\}\\})", 1)
 }

-/**
- * A StringLiteral containing a workflow expression ${{}}.
- */
-class Expression extends StringLiteral {
-  string expr;
-
-  Expression() { expr = getASimpleReferenceExpression(this) }
-
-  string getExpression() { result = expr }
-
-  Job getJob() { result.getAChildNode*() = this }
-}
+class Expression extends ExpressionNode { }

 /**
 * A ${{}} expression accessing a context variable such as steps, needs, jobs, env, inputs, or matrix.
@@ -521,10 +732,11 @@ class Expression extends StringLiteral {
 */
 class ContextExpression extends Expression {
  ContextExpression() {
-    expr.regexpMatch([
-        stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(),
-        matrixCtxRegex()
-      ])
+    expression
+        .regexpMatch([
+            stepsCtxRegex(), needsCtxRegex(), jobsCtxRegex(), envCtxRegex(), inputsCtxRegex(),
+            matrixCtxRegex()
+          ])
  }

  abstract string getFieldName();
@@ -567,15 +779,15 @@ class StepsExpression extends ContextExpression {
  string fieldName;

  StepsExpression() {
-    expr.regexpMatch(stepsCtxRegex()) and
-    stepId = expr.regexpCapture(stepsCtxRegex(), 1) and
-    fieldName = expr.regexpCapture(stepsCtxRegex(), 2)
+    expression.regexpMatch(stepsCtxRegex()) and
+    stepId = expression.regexpCapture(stepsCtxRegex(), 1) and
+    fieldName = expression.regexpCapture(stepsCtxRegex(), 2)
  }

  override string getFieldName() { result = fieldName }

  override AstNode getTarget() {
-    this.getLocation().getFile() = result.getLocation().getFile() and
+    this.getFile() = result.getFile() and
    result.(Step).getId() = stepId
  }
 }
@@ -591,9 +803,9 @@ class NeedsExpression extends ContextExpression {
  string fieldName;

  NeedsExpression() {
-    expr.regexpMatch(needsCtxRegex()) and
-    neededJobId = expr.regexpCapture(needsCtxRegex(), 1) and
-    fieldName = expr.regexpCapture(needsCtxRegex(), 2) and
+    expression.regexpMatch(needsCtxRegex()) and
+    neededJobId = expression.regexpCapture(needsCtxRegex(), 1) and
+    fieldName = expression.regexpCapture(needsCtxRegex(), 2) and
    neededJob.getId() = neededJobId
  }

@@ -602,7 +814,7 @@ class NeedsExpression extends ContextExpression {
  override string getFieldName() { result = fieldName }

  override AstNode getTarget() {
-    neededJob.getLocation().getFile() = this.getLocation().getFile() and
+    neededJob.getFile() = this.getFile() and
    this.getJob().getANeededJob() = neededJob and
    (
      // regular jobs
@@ -624,9 +836,9 @@ class JobsExpression extends ContextExpression {
  string fieldName;

  JobsExpression() {
-    expr.regexpMatch(jobsCtxRegex()) and
-    jobId = expr.regexpCapture(jobsCtxRegex(), 1) and
-    fieldName = expr.regexpCapture(jobsCtxRegex(), 2)
+    expression.regexpMatch(jobsCtxRegex()) and
+    jobId = expression.regexpCapture(jobsCtxRegex(), 1) and
+    fieldName = expression.regexpCapture(jobsCtxRegex(), 2)
  }

  override string getFieldName() { result = fieldName }
@@ -634,7 +846,7 @@ class JobsExpression extends ContextExpression {
  override AstNode getTarget() {
    exists(Job job |
      job.getId() = jobId and
-      job.getLocation().getFile() = this.getLocation().getFile() and
+      job.getFile() = this.getFile() and
      job.getOutputs() = result
    )
  }
@@ -649,14 +861,14 @@ class InputsExpression extends ContextExpression {
  string fieldName;

  InputsExpression() {
-    expr.regexpMatch(inputsCtxRegex()) and
-    fieldName = expr.regexpCapture(inputsCtxRegex(), 1)
+    expression.regexpMatch(inputsCtxRegex()) and
+    fieldName = expression.regexpCapture(inputsCtxRegex(), 1)
  }

  override string getFieldName() { result = fieldName }

  override AstNode getTarget() {
-    result.getLocation().getFile() = this.getLocation().getFile() and
+    result.getFile() = this.getFile() and
    (
      exists(ReusableWorkflow w | w.getInput(fieldName) = result)
      or
@@ -674,15 +886,15 @@ class EnvExpression extends ContextExpression {
  string fieldName;

  EnvExpression() {
-    expr.regexpMatch(envCtxRegex()) and
-    fieldName = expr.regexpCapture(envCtxRegex(), 1)
+    expression.regexpMatch(envCtxRegex()) and
+    fieldName = expression.regexpCapture(envCtxRegex(), 1)
  }

  override string getFieldName() { result = fieldName }

  override AstNode getTarget() {
-    exists(AstNode s |
-      s.getEnvVar(fieldName) = result and
+    exists(WorkflowNode s |
+      s.getInScopeEnvVarExpr(fieldName) = result and
      s.getAChildNode*() = this
    )
  }
@@ -697,8 +909,8 @@ class MatrixExpression extends ContextExpression {
  string fieldName;

  MatrixExpression() {
-    expr.regexpMatch(matrixCtxRegex()) and
-    fieldName = expr.regexpCapture(matrixCtxRegex(), 1)
+    expression.regexpMatch(matrixCtxRegex()) and
+    fieldName = expression.regexpCapture(matrixCtxRegex(), 1)
  }

  override string getFieldName() { result = fieldName }
--- a/ql/lib/codeql/actions/ast/internal/Yaml.qll
+++ b/ql/lib/codeql/actions/ast/internal/Yaml.qll
@@ -11,7 +11,14 @@ private module YamlSig implements LibYaml::InputSig {
  import codeql.Locations

  class LocatableBase extends @yaml_locatable {
-    Location getLocation() { yaml_locations(this, result) }
+    Location getLocation() {
+      exists(@location_default loc, File f, string p, int sl, int sc, int el, int ec |
+        f.getAbsolutePath() = p and
+        locations_default(loc, f, sl, sc, el, ec) and
+        yaml_locations(this, loc) and
+        result = TBaseLocation(p, sl, sc, el, ec)
+      )
+    }

    string toString() { none() }
  }
--- a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
+++ b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
@@ -80,7 +80,7 @@ module Completion {
 }

 module CfgScope {
-  abstract class CfgScope extends AstNode { }
+  abstract class CfgScope extends WorkflowNode { }

  class WorkflowScope extends CfgScope instanceof Workflow { }

@@ -148,7 +148,7 @@ private class CompositeActionTree extends StandardPreOrderTree instanceof Compos
      rank[i](AstNode child, Location l |
        (
          child = this.(CompositeAction).getAnInput() or
-          child = this.(CompositeAction).getAnOutput() or
+          child = this.(CompositeAction).getAnOutputExpr() or
          child = this.(CompositeAction).getRuns()
        ) and
        l = child.getLocation()
@@ -172,7 +172,7 @@ private class WorkflowTree extends StandardPreOrderTree instanceof Workflow {
        rank[i](AstNode child, Location l |
          (
            child = this.(ReusableWorkflow).getAnInput() or
-            child = this.(ReusableWorkflow).getAnOutput() or
+            child = this.(ReusableWorkflow).getAnOutputExpr() or
            child = this.(ReusableWorkflow).getStrategy() or
            child = this.(ReusableWorkflow).getAJob()
          ) and
@@ -202,7 +202,7 @@ private class OutputsTree extends StandardPreOrderTree instanceof Outputs {
  override ControlFlowTree getChildNode(int i) {
    result =
      rank[i](AstNode child, Location l |
-        child = super.getOutput(_) and l = child.getLocation()
+        child = super.getOutputExpr(_) and l = child.getLocation()
      |
        child
        order by
@@ -247,7 +247,7 @@ private class UsesTree extends StandardPreOrderTree instanceof Uses {
  override ControlFlowTree getChildNode(int i) {
    result =
      rank[i](AstNode child, Location l |
-        (child = super.getArgument(_) or child = super.getEnvVar(_)) and
+        (child = super.getArgumentExpr(_) or child = super.getInScopeEnvVarExpr(_)) and
        l = child.getLocation()
      |
        child
@@ -261,7 +261,7 @@ private class RunTree extends StandardPreOrderTree instanceof Run {
  override ControlFlowTree getChildNode(int i) {
    result =
      rank[i](AstNode child, Location l |
-        (child = super.getEnvVar(_) or child = super.getScript()) and
+        (child = super.getInScopeEnvVarExpr(_) or child = super.getScript()) and
        l = child.getLocation()
      |
        child
@@ -271,8 +271,21 @@ private class RunTree extends StandardPreOrderTree instanceof Run {
  }
 }

+private class StringValueTree extends StandardPreOrderTree instanceof StringValue {
+  override ControlFlowTree getChildNode(int i) {
+    result =
+      rank[i](ExpressionNode child, int sl, int el, int sc, int ec, string path |
+        child = super.getAChildNode() and child.hasLocationInfo(path, sl, sc, el, ec)
+      |
+        child order by sl, sc, ec, el, child.toString()
+      )
+  }
+}
+
 private class UsesLeaf extends LeafTree instanceof Uses { }

 private class InputTree extends LeafTree instanceof Input { }

-private class StringLiteralLeaf extends LeafTree instanceof StringLiteral { }
+private class StringValueLeaf extends LeafTree instanceof StringValue { }
+
+private class ExpressionLeaf extends LeafTree instanceof ExpressionNode { }
--- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
+++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -52,7 +52,7 @@ predicate externallyDefinedSource(
    ) and
    (
      if fieldName.trim().matches("env.%")
-      then source.asExpr() = uses.getEnvVar(fieldName.trim().replaceAll("env.", ""))
+      then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
      else
        if fieldName.trim().matches("output.%")
        then source.asExpr() = uses
@@ -76,10 +76,10 @@ predicate externallyDefinedStoreStep(
    ) and
    (
      if input.trim().matches("env.%")
-      then pred.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", ""))
+      then pred.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", ""))
      else
        if input.trim().matches("input.%")
-        then pred.asExpr() = uses.getArgument(input.trim().replaceAll("input.", ""))
+        then pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", ""))
        else none()
    ) and
    succ.asExpr() = uses
@@ -90,10 +90,10 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) {
  exists(Uses uses, string action, string version, string input |
    (
      if input.trim().matches("env.%")
-      then sink.asExpr() = uses.getEnvVar(input.trim().replaceAll("env.", ""))
+      then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", ""))
      else
        if input.trim().matches("input.%")
-        then sink.asExpr() = uses.getArgument(input.trim().replaceAll("input.", ""))
+        then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", ""))
        else none()
    ) and
    sinkModel(action, version, input, kind) and
--- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll
+++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll
@@ -36,7 +36,7 @@ class AdditionalTaintStep extends Unit {
 predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) {
  exists(Run r, string varName, string output |
    c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and
-    r.getEnvVar(varName) = pred.asExpr() and
+    r.getInScopeEnvVarExpr(varName) = pred.asExpr() and
    exists(string script, string line |
      script = r.getScript().getValue() and
      line = script.splitAt("\n") and
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
@@ -72,8 +72,7 @@ class DataFlowCall instanceof Cfg::Node {
  /** Gets a textual representation of this element. */
  string toString() { result = super.toString() }

-  Location getLocation() { result = super.getLocation() }
-
+  //Location getLocation() { result = super.getLocation() }
  string getName() { result = super.getAstNode().(Uses).getCallee() }

  DataFlowCallable getEnclosingCallable() { result = super.getScope() }
@@ -85,8 +84,7 @@ class DataFlowCall instanceof Cfg::Node {
 class DataFlowCallable instanceof Cfg::CfgScope {
  string toString() { result = super.toString() }

-  Location getLocation() { result = super.getLocation() }
-
+  //Location getLocation() { result = super.getLocation() }
  string getName() {
    if this instanceof ReusableWorkflow
    then result = this.(ReusableWorkflow).getLocation().getFile().getRelativePath()
@@ -162,7 +160,7 @@ class ParameterPosition extends string {
 * Made a string to match `With:` keys in the AST
 */
 class ArgumentPosition extends string {
-  ArgumentPosition() { exists(any(Uses e).getArgument(this)) }
+  ArgumentPosition() { exists(any(Uses e).getArgumentExpr(this)) }
 }

 /**
@@ -232,7 +230,7 @@ predicate matrixCtxLocalStep(Node nodeFrom, Node nodeTo) {
 * e.g. ${{ env.foo }}
 */
 predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) {
-  exists(Expression astFrom, EnvExpression astTo |
+  exists(AstNode astFrom, EnvExpression astTo |
    astFrom = nodeFrom.asExpr() and
    astTo = nodeTo.asExpr() and
    (
@@ -301,7 +299,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) { ctxFieldReadStep(node
 */
 predicate fieldStoreStep(Node node1, Node node2, ContentSet c) {
  exists(Outputs out, string fieldName |
-    node1.asExpr() = out.getOutput(fieldName) and
+    node1.asExpr() = out.getOutputExpr(fieldName) and
    node2.asExpr() = out and
    c = any(FieldContent ct | ct.getName() = fieldName)
  )
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll
@@ -78,12 +78,12 @@ class CallNode extends ExprNode {
 * An argument to a Uses step (call).
 */
 class ArgumentNode extends ExprNode {
-  ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgument(_) }
+  ArgumentNode() { this.getCfgNode().getAstNode() = any(Uses e).getArgumentExpr(_) }

  predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
    this.getCfgNode() = call.(Cfg::Node).getASuccessor+() and
    call.(Cfg::Node).getAstNode() =
-      any(Uses e | e.getArgument(pos) = this.getCfgNode().getAstNode())
+      any(Uses e | e.getArgumentExpr(pos) = this.getCfgNode().getAstNode())
  }
 }

--- a/ql/lib/ext/actions_github-script.model.yml
+++ b/ql/lib/ext/actions_github-script.model.yml
@@ -3,5 +3,7 @@ extensions:
      pack: githubsecuritylab/actions-all
      extensible: sinkModel
    data:
-      - ["","","",""]
+      - ["actions/github-script","*","input.script","expression-injection"]
+
+

--- a/ql/src/Security/CWE-020/CompositeActionsSinks.ql
+++ b/ql/src/Security/CWE-020/CompositeActionsSinks.ql
@@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow

 private class ExpressionInjectionSink extends DataFlow::Node {
  ExpressionInjectionSink() {
-    exists(Run e | e.getScript() = this.asExpr()) or
+    exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or
    externallyDefinedSink(this, "expression-injection")
  }
 }
--- a/ql/src/Security/CWE-020/CompositeActionsSources.ql
+++ b/ql/src/Security/CWE-020/CompositeActionsSources.ql
@@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node sink) {
-    exists(CompositeAction c | c.getAnOutput() = sink.asExpr())
+    exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
  }

  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {
--- a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql
+++ b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql
@@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node sink) {
-    exists(CompositeAction c | c.getAnOutput() = sink.asExpr())
+    exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
  }
 }

--- a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql
+++ b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql
@@ -18,7 +18,7 @@ import codeql.actions.dataflow.ExternalFlow

 private class ExpressionInjectionSink extends DataFlow::Node {
  ExpressionInjectionSink() {
-    exists(Run e | e.getScript() = this.asExpr()) or
+    exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or
    externallyDefinedSink(this, "expression-injection")
  }
 }
--- a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql
+++ b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql
@@ -24,7 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node sink) {
-    exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr())
+    exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
  }

  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {
--- a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql
+++ b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql
@@ -22,7 +22,7 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node sink) {
-    exists(ReusableWorkflow w | w.getAnOutput() = sink.asExpr())
+    exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
  }
 }

--- a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql
+++ b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql
@@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow

 private class ExpressionInjectionSink extends DataFlow::Node {
  ExpressionInjectionSink() {
-    exists(Run e | e.getScript() = this.asExpr()) or
+    exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or
    externallyDefinedSink(this, "expression-injection")
  }
 }
@@ -43,4 +43,5 @@ where
      .getEnclosingWorkflow()
      .hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
 select sink.getNode(), source, sink,
-  "Potential expression injection, which may be controlled by an external user."
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(ExpressionNode).getExpression()
--- a/ql/src/Security/CWE-094/ExpressionInjection.ql
+++ b/ql/src/Security/CWE-094/ExpressionInjection.ql
@@ -19,7 +19,7 @@ import codeql.actions.dataflow.ExternalFlow

 private class ExpressionInjectionSink extends DataFlow::Node {
  ExpressionInjectionSink() {
-    exists(Run e | e.getScript() = this.asExpr()) or
+    exists(Run e | e.getScript().getAnExpression() = this.asExpr()) or
    externallyDefinedSink(this, "expression-injection")
  }
 }
@@ -37,4 +37,5 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential expression injection, which may be controlled by an external user."
+  "Potential expression injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(ExpressionNode).getRawExpression()
--- a/ql/src/Security/CWE-829/UntrustedCheckout.ql
+++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql
@@ -39,8 +39,7 @@ where
  job.getAStep() = checkoutStep and
  checkoutStep.getCallee() = "actions/checkout" and
  checkoutStep
-      .getArgument("ref")
-      .(Expression)
+      .getArgumentExpr("ref")
      .getExpression()
      .matches([
          "%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%",
--- a/ql/test/library-tests/.github/workflows/expression_nodes.yml
+++ b/ql/test/library-tests/.github/workflows/expression_nodes.yml
@@ -0,0 +1,22 @@
+on: issue_comment
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+      - run: LINE 1echo '${{ github.event.comment.body }}'
+      - run: |
+          LINE 1 echo '${{ github.event.comment.body }}'
+      - run: |
+          LINE 1 echo '${{ github.event.comment.body }}'
+          LINE 2 echo '${{github.event.issue.body}}'
+      - run: >  
+          LINE 1 echo '${{ github.event.comment.body }}'
+          echo '${{github.event.issue.body}}'
+      - run: |   
+          LINE 1 echo '${{ github.event.comment.body }}'
+          LINE 2 echo '${{github.event.issue.body}}'
+          LINE 3 echo '${{ github.event.comment.body }}'
+      - run: "LINE 1 echo '${{ github.event.comment.body }}'
+          echo '${{github.event.issue.body}}'"
+
--- a/ql/test/library-tests/test.expected
+++ b/ql/test/library-tests/test.expected
@@ -1,6 +1,36 @@
 files
+| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml |
 | .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml |
 yamlNodes
+| .github/workflows/expression_nodes.yml:1:1:1:2 | on |
+| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
+| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment |
+| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs |
+| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber |
+| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: |
+| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on |
+| .github/workflows/expression_nodes.yml:5:5:21:47 | runs-on ... -latest |
+| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest |
+| .github/workflows/expression_nodes.yml:6:5:6:9 | steps |
+| .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:7:9:7:11 | run |
+| .github/workflows/expression_nodes.yml:7:9:8:6 | run: LI ... ody }}' |
+| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' |
+| .github/workflows/expression_nodes.yml:8:9:8:11 | run |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | run: \| |
+| .github/workflows/expression_nodes.yml:8:14:9:57 | \| |
+| .github/workflows/expression_nodes.yml:10:9:10:11 | run |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | run: \| |
+| .github/workflows/expression_nodes.yml:10:14:12:53 | \| |
+| .github/workflows/expression_nodes.yml:13:9:13:11 | run |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | run: >   |
+| .github/workflows/expression_nodes.yml:13:14:15:46 | >   |
+| .github/workflows/expression_nodes.yml:16:9:16:11 | run |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | run: \|    |
+| .github/workflows/expression_nodes.yml:16:14:19:57 | \|    |
+| .github/workflows/expression_nodes.yml:20:9:20:11 | run |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | run: "L ... ody }}' |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' |
 | .github/workflows/test.yml:1:1:1:2 | on |
 | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:1:5:1:8 | push |
@@ -71,15 +101,47 @@ yamlNodes
 | .github/workflows/test.yml:40:9:40:11 | run |
 | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
 jobNodes
+| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 stepNodes
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
+runNodes
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
+| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
+| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
+| .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
+runExprNodes
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
+| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
+| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
 allUsesNodes
 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
@@ -93,12 +155,30 @@ jobUsesNodes
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
 usesSteps
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} |
+| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
 runSteps
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} |
 runStepChildren
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:7:11 | run |
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:8:11 | run |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | \| |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:10:11 | run |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | \| |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:13:11 | run |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | >   |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:16:11 | run |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | \|    |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:20:11 | run |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:26:10 | id |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:9:27:11 | run |
@@ -112,6 +192,45 @@ runStepChildren
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:9:40:11 | run |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
 parentNodes
+| .github/workflows/expression_nodes.yml:1:1:1:2 | on | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
+| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
+| .github/workflows/expression_nodes.yml:3:1:3:4 | jobs | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
+| .github/workflows/expression_nodes.yml:4:3:4:14 | echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: |
+| .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
+| .github/workflows/expression_nodes.yml:5:5:5:11 | runs-on | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
+| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:4:3:21:47 | echo-chamber: |
+| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
+| .github/workflows/expression_nodes.yml:6:5:6:9 | steps | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
+| .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
+| .github/workflows/expression_nodes.yml:7:9:7:11 | run | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' |
+| .github/workflows/expression_nodes.yml:8:9:8:11 | run | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:8:14:9:57 | \| | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | \| |
+| .github/workflows/expression_nodes.yml:10:9:10:11 | run | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:10:14:12:53 | \| | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| |
+| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | \| |
+| .github/workflows/expression_nodes.yml:13:9:13:11 | run | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:13:14:15:46 | >   | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | >   |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | >   |
+| .github/workflows/expression_nodes.yml:16:9:16:11 | run | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:16:14:19:57 | \|    | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \|    |
+| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \|    |
+| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | \|    |
+| .github/workflows/expression_nodes.yml:20:9:20:11 | run | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:7:7:21:47 | - run:  ... ody }}' |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' |
 | .github/workflows/test.yml:1:1:1:2 | on | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:3:1:3:4 | jobs | .github/workflows/test.yml:1:1:40:53 | on: push |
@@ -124,6 +243,7 @@ parentNodes
 | .github/workflows/test.yml:8:7:8:16 | job_output | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
+| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} |
 | .github/workflows/test.yml:10:5:10:9 | steps | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:11:9:11:12 | uses | .github/workflows/test.yml:11:9:15:6 | Uses Step |
@@ -151,6 +271,7 @@ parentNodes
 | .github/workflows/test.yml:23:11:23:16 | source | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} |
 | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
 | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} |
+| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} |
 | .github/workflows/test.yml:24:11:24:14 | find | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} |
 | .github/workflows/test.yml:24:17:24:21 | "foo" | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} |
 | .github/workflows/test.yml:25:11:25:17 | replace | .github/workflows/test.yml:23:11:26:6 | source: ... iles }} |
@@ -160,17 +281,20 @@ parentNodes
 | .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
 | .github/workflows/test.yml:27:9:27:11 | run | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
+| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} |
 | .github/workflows/test.yml:28:9:28:10 | id | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:11:7:31:2 | - uses: ... kout@v4 |
 | .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
 | .github/workflows/test.yml:29:9:29:11 | run | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
+| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} |
 | .github/workflows/test.yml:31:3:31:6 | job2 | .github/workflows/test.yml:4:3:40:53 | job1: |
 | .github/workflows/test.yml:32:5:32:11 | runs-on | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:4:3:40:53 | job1: |
 | .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:34:5:34:6 | if | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
+| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
 | .github/workflows/test.yml:36:5:36:9 | needs | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:38:5:38:9 | steps | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
@@ -180,72 +304,154 @@ parentNodes
 | .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
 | .github/workflows/test.yml:40:9:40:11 | run | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
 | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
+| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
 cfgNodes
+| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment |
+| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment |
+| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) |
+| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
+| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1e ... ody }}' |
+| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:8:14:9:57 | \| |
+| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:10:14:12:53 | \| |
+| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:13:14:15:46 | >   |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:16:14:19:57 | \|    |
+| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | "LINE 1 ... ody }}' |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
 | .github/workflows/test.yml:1:1:40:53 | enter on: push |
 | .github/workflows/test.yml:1:1:40:53 | exit on: push |
 | .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) |
 | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} |
+| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value |
 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} |
-| .github/workflows/test.yml:24:17:24:21 | "foo" |
-| .github/workflows/test.yml:25:20:25:21 | "" |
+| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
 | .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} |
+| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
 | .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} |
+| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
 | .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
+| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
 dfNodes
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} |
+| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value |
 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} |
+| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} |
+| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} |
+| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
+| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
 exprNodes
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
+| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
+| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
+| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
+| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
+| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} |
+| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value |
 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} |
+| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} |
+| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} |
+| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
+| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
 argumentNodes
-| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} |
+| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
 usesIds
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step |
 nodeLocations
+| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 |
+| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 |
+| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 |
+| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 |
+| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 |
+| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 |
+| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 |
+| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 |
+| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 |
+| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 |
+| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 |
+| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 |
+| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 |
+| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 |
+| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/test.yml:8:19:8:49 | .github/workflows/test.yml@8:19:8:49 |
+| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 |
 | .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 |
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 |
-| .github/workflows/test.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/test.yml:23:19:23:63 | .github/workflows/test.yml@23:19:23:63 |
+| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 |
 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 |
-| .github/workflows/test.yml:27:14:27:63 | echo ${ ... iles }} | .github/workflows/test.yml:27:14:27:63 | .github/workflows/test.yml@27:14:27:63 |
+| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 |
 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 |
-| .github/workflows/test.yml:29:14:29:54 | ${{ git ... .ref }} | .github/workflows/test.yml:29:14:29:54 | .github/workflows/test.yml@29:14:29:54 |
+| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 |
 | .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 |
-| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} | .github/workflows/test.yml:40:14:40:52 | .github/workflows/test.yml@40:14:40:52 |
+| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 |
 scopes
+| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
 | .github/workflows/test.yml:1:1:40:53 | on: push |
 sources
 | ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files |
@@ -349,4 +555,4 @@ calls
 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files |
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string |
 needs
-| .github/workflows/test.yml:40:14:40:52 | echo ${ ... utput}} |
+| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
--- a/ql/test/library-tests/test.ql
+++ b/ql/test/library-tests/test.ql
@@ -13,14 +13,18 @@ query predicate jobNodes(Job s) { any() }

 query predicate stepNodes(Step s) { any() }

+query predicate runNodes(Run s) { any() }
+
+query predicate runExprNodes(Run s, ExpressionNode e) { e = s.getScript().getAnExpression() }
+
 query predicate allUsesNodes(Uses s) { any() }

 query predicate stepUsesNodes(UsesStep s) { any() }

 query predicate jobUsesNodes(UsesStep s) { any() }

-query predicate usesSteps(Uses call, string argname, Expression arg) {
-  call.getArgument(argname) = arg
+query predicate usesSteps(Uses call, string argname, AstNode arg) {
+  call.getArgumentExpr(argname) = arg
 }

 query predicate runSteps(Run run, string body) { run.getScript().getValue() = body }
--- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected
+++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected
@@ -1,15 +1,15 @@
 edges
-| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} |
-| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." |
-| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} |
-| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | Uses Step: replace [value] |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet |
+| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value |
+| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] |
 nodes
 | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
 | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] |
-| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} |
-| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} |
-| action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." |
+| action1/action.yml:28:18:28:43 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
+| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
+| action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
 #select
-| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | Sink |
-| action1/action.yml:35:12:35:51 | echo "H ... et }}." | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | Sink |
+| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
+| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
--- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected
+++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected
@@ -1,12 +1,12 @@
 edges
-| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} |
-| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} |
-| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | Run Step: source [tainted] |
+| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files |
+| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted |
+| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] |
 nodes
-| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted |
 | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
 | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
-| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
+| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
 subpaths
 #select
-| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
--- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected
+++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected
@@ -1,12 +1,12 @@
 edges
-| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} |
-| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} |
-| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet |
+| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected |
+| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] |
 nodes
 | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
-| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} |
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected |
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
-| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} |
+| action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
 #select
-| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | Summary |
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
--- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected
+++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected
@@ -1,8 +1,8 @@
 edges
-| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| |
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path |
 nodes
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
-| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| |
+| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
 #select
-| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Sink |
+| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
--- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected
+++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected
@@ -1,12 +1,12 @@
 edges
-| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} |
-| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] |
-| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 |
+| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] |
+| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files |
 nodes
-| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} |
+| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] |
-| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} |
+| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
 subpaths
 #select
-| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source |
+| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
--- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected
+++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected
@@ -1,16 +1,16 @@
 edges
-| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} |
-| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} |
-| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] |
-| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} |
-| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] |
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 |
+| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] |
+| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output |
+| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] |
 nodes
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
-| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} |
+| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] |
-| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} |
+| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output |
 | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
-| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} |
+| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
 #select
-| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | Summary |
+| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml
@@ -5,7 +5,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - run: |
+        Foo
        echo '${{ github.event.comment.body }}'
+        Bar

  echo-chamber2:
    runs-on: ubuntu-latest
@@ -25,4 +27,4 @@ jobs:
        script: console.log('${{ github.event.issue.body }}')
    - uses: actions/github-script@v3
      with:
-        script: console.log('${{ github.event.issue.title }}')
+        script: console.log('${{ github.event.issue.title }}')
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml
@@ -7,4 +7,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - run: |
-          echo '${{ github.event.comment.body }}'
+          LINE 1 echo '${{ github.event.comment.body }}'
+          LINE 2 echo '${{github.event.issue.body}}'
+          LINE 3 echo '${{ github.event.comment.body }}'
--- a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected
+++ b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected
@@ -1,260 +1,261 @@
 edges
-| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| |
-| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} |
-| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} |
-| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| |
-| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| |
-| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| |
-| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} |
-| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] |
-| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} |
-| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
-| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| |
-| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
-| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' |
-| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} |
-| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] |
-| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} |
-| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \|  |
-| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| |
-| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] |
-| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} |
-| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| |
-| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
-| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} |
-| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] |
-| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} |
-| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] |
-| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} |
-| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] |
+| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
+| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message |
+| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] |
+| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
+| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env |
+| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] |
+| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] |
+| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output |
+| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
+| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
+| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] |
+| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG |
+| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] |
+| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test |
+| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] |
 nodes
 | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
-| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} |
-| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} |
-| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE |
+| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
 | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
-| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| |
-| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| |
-| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| |
+| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
-| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} |
-| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} |
-| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| |
-| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| |
-| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} |
-| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| |
-| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED |
+| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
+| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
+| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title |
+| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title |
+| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name |
+| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name |
 | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] |
-| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] |
-| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url |
 | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] |
-| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} |
-| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url |
+| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url |
 | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
 | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
 | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
 | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
-| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
-| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
-| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
-| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] |
-| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix |
-| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} |
-| .github/workflows/matrix.yml:41:12:42:31 | \|  | semmle.label | \|  |
-| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' |
-| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' |
-| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' |
-| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env |
+| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
+| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body |
+| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref |
+| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
+| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
+| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
+| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
+| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
+| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
+| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
+| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
+| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] |
-| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} |
-| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value |
 | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} |
+| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
-| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} |
+| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] |
-| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} |
+| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value |
 | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] |
-| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} |
-| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
-| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
+| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG |
+| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
+| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message |
+| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email |
+| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name |
+| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email |
+| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name |
+| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description |
+| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
-| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
+| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced |
+| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body |
+| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | github.event.issue.title |
+| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | github.event.issue.body |
+| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | github.event.issue.title |
+| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | github.event.issue.body |
+| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | env.pr_message |
+| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title |
+| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | github.event.discussion.title |
+| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | github.event.pages[1].title |
+| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | github.event.pages[11].title |
+| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | github.event.pages[0].page_name |
+| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | github.event.pages[2222].page_name |
+| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | steps.trim-url.outputs.trimmed_url |
+| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | github.event.issue.title |
+| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | github.event.issue.body |
+| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | env.global_env |
+| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | env.job_env |
+| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | env.step_env |
+| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title |
+| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body |
+| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | github.event.review.body |
+| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | github.event.pull_request.title |
+| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | github.event.pull_request.body |
+| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | github.event.comment.body |
+| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | github.event.pull_request.title |
+| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | github.event.pull_request.body |
+| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | github.head_ref |
+| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | github.event.commits[11].message |
+| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | github.event.commits[11].author.email |
+| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | github.event.commits[11].author.name |
+| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | github.event.head_commit.message |
+| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | github.event.head_commit.author.email |
+| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | github.event.head_commit.author.name |
+| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | github.event.head_commit.committer.email |
+| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | github.event.head_commit.committer.name |
+| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | github.event.commits[11].committer.email |
+| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | github.event.commits[11].committer.name |
+| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | steps.summary.outputs.value |
+| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | steps.step.outputs.value |
+| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | needs.job1.outputs.job_output |
+| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | github.event.workflow_run.display_title |
+| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | github.event.workflow_run.head_commit.message |
+| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | github.event.workflow_run.head_commit.author.email |
+| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | github.event.workflow_run.head_commit.author.name |
+| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | github.event.workflow_run.head_commit.committer.email |
+| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | github.event.workflow_run.head_commit.committer.name |
+| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | github.event.workflow_run.head_repository.description |
--- a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected
+++ b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected
@@ -1,269 +1,269 @@
 edges
-| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:26:14:27:95 | \| |
-| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} |
-| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} |
-| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | .github/workflows/cross3.yml:41:12:43:5 | \| |
-| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | .github/workflows/cross3.yml:61:21:68:47 | \| |
-| .github/workflows/cross3.yml:61:21:68:47 | \| | .github/workflows/cross3.yml:47:12:53:109 | \| |
-| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} |
-| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] |
-| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} |
-| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
-| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| |
-| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
-| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' |
-| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} |
-| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] |
-| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} |
-| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | .github/workflows/matrix.yml:41:12:42:31 | \|  |
-| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:15:14:16:50 | \| |
-| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] |
-| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} |
-| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:28:14:31:15 | \| |
-| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
-| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} |
-| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] |
-| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} |
-| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] |
-| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} |
-| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] |
+| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
+| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message |
+| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] |
+| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
+| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env |
+| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] |
+| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files |
+| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] |
+| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output |
+| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
+| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
+| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] |
+| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG |
+| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] |
+| .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test |
+| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] |
 nodes
 | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
-| .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | semmle.label | ${{gith ... title}} |
-| .github/workflows/argus_case_study.yml:22:19:22:38 | ${{env.ISSUE_TITLE}} | semmle.label | ${{env.ISSUE_TITLE}} |
-| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | semmle.label | \| |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE |
+| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
 | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
-| .github/workflows/changed-files.yml:21:14:24:15 | \| | semmle.label | \| |
-| .github/workflows/comment_issue.yml:7:12:8:48 | \| | semmle.label | \| |
-| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | semmle.label | \| |
+| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
-| .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | semmle.label | ${{gith ... ssage}} |
-| .github/workflows/cross3.yml:39:30:39:74 | ${{step ... laced}} | semmle.label | ${{step ... laced}} |
-| .github/workflows/cross3.yml:41:12:43:5 | \| | semmle.label | \| |
-| .github/workflows/cross3.yml:47:12:53:109 | \| | semmle.label | \| |
-| .github/workflows/cross3.yml:57:28:57:72 | ${{step ... laced}} | semmle.label | ${{step ... laced}} |
-| .github/workflows/cross3.yml:61:21:68:47 | \| | semmle.label | \| |
-| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED |
+| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
+| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
+| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title |
+| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title |
+| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name |
+| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name |
 | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] |
-| .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | semmle.label | ${{ git ... body }} |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] |
-| .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url |
 | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] |
-| .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} |
-| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url |
+| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url |
 | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
 | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
 | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
 | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
-| .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
-| .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
-| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | semmle.label | echo '$ ... env }}' |
-| .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
-| .github/workflows/matrix.yml:15:7:16:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] |
-| .github/workflows/matrix.yml:15:15:15:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | semmle.label | Uses Step: set-matrix |
-| .github/workflows/matrix.yml:34:19:34:69 | ${{ fro ... rix) }} | semmle.label | ${{ fro ... rix) }} |
-| .github/workflows/matrix.yml:41:12:42:31 | \|  | semmle.label | \|  |
-| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' |
-| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' |
-| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
-| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | semmle.label | echo '$ ... bel }}' |
-| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | semmle.label | echo '$ ... ref }}' |
-| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env |
+| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
+| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body |
+| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref |
+| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
+| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
+| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
+| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
+| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
+| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
+| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
+| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
+| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] |
-| .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} |
-| .github/workflows/simple1.yml:15:14:16:50 | \| | semmle.label | \| |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value |
 | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source |
 | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/simple2.yml:22:19:22:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/simple2.yml:28:14:31:15 | \| | semmle.label | \| |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/test.yml:8:19:8:49 | ${{ ste ... test }} | semmle.label | ${{ ste ... test }} |
+| .github/workflows/test.yml:8:20:8:50 | steps.step2.outputs.test | semmle.label | steps.step2.outputs.test |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
-| .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | semmle.label | ${{ git ... sage }} |
+| .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] |
-| .github/workflows/test.yml:20:17:20:47 | ${{ ste ... value}} | semmle.label | ${{ ste ... value}} |
+| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value |
 | .github/workflows/test.yml:24:9:29:2 | Run Step: step2 [test] | semmle.label | Run Step: step2 [test] |
-| .github/workflows/test.yml:26:18:26:45 | ${{step ... s.MSG}} | semmle.label | ${{step ... s.MSG}} |
-| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
-| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
-| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | semmle.label | echo '$ ... age }}' |
-| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | semmle.label | echo '$ ... ail }}' |
-| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | semmle.label | echo '$ ... ame }}' |
-| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | semmle.label | echo '$ ... nch }}' |
-| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | semmle.label | echo '$ ... ion }}' |
-| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | semmle.label | echo '$ ... ody }}' |
+| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG |
+| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
+| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message |
+| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email |
+| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name |
+| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email |
+| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name |
+| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description |
+| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
-| .github/workflows/argus_case_study.yml:26:14:27:95 | \| | .github/workflows/argus_case_study.yml:17:24:17:52 | ${{gith ... title}} | .github/workflows/argus_case_study.yml:26:14:27:95 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/changed-files.yml:21:14:24:15 | \| | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:21:14:24:15 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | .github/workflows/comment_issue.yml:7:12:8:48 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:13:12:13:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/comment_issue.yml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | .github/workflows/comment_issue.yml:15:12:15:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | .github/workflows/comment_issue_newline.yml:9:14:10:50 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/cross3.yml:41:12:43:5 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:41:12:43:5 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/cross3.yml:47:12:53:109 | \| | .github/workflows/cross3.yml:32:17:32:52 | ${{gith ... ssage}} | .github/workflows/cross3.yml:47:12:53:109 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | .github/workflows/discussion_comment.yml:7:12:7:54 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:8:12:8:53 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | .github/workflows/discussion_comment.yml:9:12:9:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | .github/workflows/gollum.yml:7:12:7:52 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | .github/workflows/gollum.yml:8:12:8:53 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | .github/workflows/gollum.yml:9:12:9:56 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | .github/workflows/gollum.yml:10:12:10:59 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/image_link_generator.yml:36:14:37:126 | \| | .github/workflows/image_link_generator.yml:18:17:18:48 | ${{ git ... body }} | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | .github/workflows/issues.yaml:14:12:14:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/matrix.yml:41:12:42:31 | \|  | .github/workflows/matrix.yml:17:9:21:2 | Uses Step: set-matrix | .github/workflows/matrix.yml:41:12:42:31 | \|  | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | .github/workflows/pull_request_review.yml:14:12:14:49 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | .github/workflows/pull_request_review_comment.yml:7:12:7:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:8:12:8:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | .github/workflows/pull_request_review_comment.yml:9:12:9:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | .github/workflows/pull_request_review_comment.yml:10:12:10:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | .github/workflows/pull_request_review_comment.yml:11:12:11:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | .github/workflows/pull_request_review_comment.yml:12:12:12:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | .github/workflows/pull_request_review_comment.yml:13:12:13:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | .github/workflows/pull_request_review_comment.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:7:12:7:49 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:8:12:8:48 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | .github/workflows/pull_request_target.yml:9:12:9:56 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | .github/workflows/pull_request_target.yml:10:12:10:55 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | .github/workflows/pull_request_target.yml:11:12:11:61 | echo '$ ... bel }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | .github/workflows/pull_request_target.yml:12:12:12:75 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | .github/workflows/pull_request_target.yml:13:12:13:72 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | .github/workflows/pull_request_target.yml:14:12:14:69 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:15:12:15:59 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | .github/workflows/pull_request_target.yml:16:12:16:40 | echo '$ ... ref }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | .github/workflows/push.yml:7:12:7:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | .github/workflows/push.yml:8:12:8:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | .github/workflows/push.yml:9:12:9:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | .github/workflows/push.yml:10:12:10:57 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | .github/workflows/push.yml:11:12:11:62 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | .github/workflows/push.yml:12:12:12:61 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | .github/workflows/push.yml:13:12:13:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | .github/workflows/push.yml:14:12:14:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | .github/workflows/push.yml:15:12:15:65 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | .github/workflows/push.yml:16:12:16:64 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/simple1.yml:15:14:16:50 | \| | .github/workflows/simple1.yml:11:19:11:57 | ${{ git ... sage }} | .github/workflows/simple1.yml:15:14:16:50 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/simple2.yml:28:14:31:15 | \| | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:28:14:31:15 | \| | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | .github/workflows/test.yml:15:19:15:57 | ${{ git ... sage }} | .github/workflows/test.yml:37:14:37:52 | echo ${ ... utput}} | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | .github/workflows/workflow_run.yml:9:12:9:64 | echo '$ ... tle }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | .github/workflows/workflow_run.yml:10:12:10:70 | echo '$ ... age }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:11:12:11:75 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:12:12:12:74 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | .github/workflows/workflow_run.yml:13:12:13:78 | echo '$ ... ail }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | .github/workflows/workflow_run.yml:14:12:14:77 | echo '$ ... ame }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | .github/workflows/workflow_run.yml:15:12:15:62 | echo '$ ... nch }}' | Potential expression injection, which may be controlled by an external user. |
-| .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | .github/workflows/workflow_run.yml:16:12:16:78 | echo '$ ... ion }}' | Potential expression injection, which may be controlled by an external user. |
-| action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | action1/action.yml:14:12:14:50 | echo '$ ... ody }}' | Potential expression injection, which may be controlled by an external user. |
+| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} |
+| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} |
+| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} |
+| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | ${{ github.event.issue.title }} |
+| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | ${{ github.event.issue.body }} |
+| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | ${{ github.event.issue.title }} |
+| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | ${{github.event.issue.body}} |
+| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} |
+| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} |
+| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} |
+| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} |
+| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | ${{ github.event.discussion.title }} |
+| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | ${{ github.event.discussion.body }} |
+| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | ${{ github.event.pages[1].title }} |
+| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | ${{ github.event.pages[11].title }} |
+| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | ${{ github.event.pages[0].page_name }} |
+| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | ${{ github.event.pages[2222].page_name }} |
+| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | ${{ steps.trim-url.outputs.trimmed_url }} |
+| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
+| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
+| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
+| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
+| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | ${{ github.event.issue.title }} |
+| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | ${{ github.event.issue.body }} |
+| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} |
+| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} |
+| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} |
+| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
+| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
+| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
+| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} |
+| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} |
+| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
+| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
+| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | ${{ github.event.review.body }} |
+| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
+| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
+| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
+| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} |
+| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} |
+| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
+| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
+| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} |
+| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} |
+| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
+| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
+| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
+| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | ${{ github.event.pull_request.head.repo.default_branch }} |
+| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | ${{ github.event.pull_request.head.repo.description }} |
+| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
+| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
+| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} |
+| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
+| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
+| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
+| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} |
+| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} |
+| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} |
+| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
+| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
+| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
+| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} |
+| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} |
+| .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:15:20:15:58 | github.event.head_commit.message | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:37:20:37:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
+| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
+| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |
+| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} |
+| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} |
+| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | ${{ github.event.workflow_run.head_commit.committer.email }} |
+| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} |
+| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
+| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} |
+| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} |