From 5cd292e23e034a593f1feac0f5bba0bac2c4666c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Wed, 26 Jun 2024 19:17:37 +0200
Subject: [PATCH] Make Untrusted Checkout and CachePoisoning rules
 path-problems

---
 ql/src/Security/CWE-349/CachePoisoning.ql     |   7 +-
 .../CWE-829/UntrustedCheckoutCritical.ql      |  10 +-
 .../CWE-094/.github/workflows/test8.yml       |  48 +++
 .../CWE-094/CodeInjectionCritical.expected    |   4 +
 .../CWE-094/CodeInjectionMedium.expected      |   2 +
 .../Security/CWE-349/CachePoisoning.expected  | 134 ++++++++-
 .../UntrustedCheckoutCritical.expected        | 273 +++++++++++++++++-
 7 files changed, 451 insertions(+), 27 deletions(-)
 create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml

diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql
index feef4316461..2a9952ce07f 100644
--- a/ql/src/Security/CWE-349/CachePoisoning.ql
+++ b/ql/src/Security/CWE-349/CachePoisoning.ql
@@ -1,7 +1,7 @@
 /**
  * @name Cache Poisoning
  * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @security-severity 7.5
@@ -16,6 +16,8 @@ import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.CachePoisoningQuery
 import codeql.actions.security.PoisonableSteps
 
+query predicate edges(Step a, Step b) { a.getAFollowingStep() = b }
+
 from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s
 where
   j.getATriggerEvent() = e and
@@ -48,5 +50,4 @@ where
     // excluding privileged workflows since they can be exploited in easier circumstances
     not j.isPrivileged()
   )
-select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s,
-  s.toString()
+select s, checkout, s, "Potential cache poisoning in the context of the default branch" 
diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
index eae580ebd52..b71b3cbba99 100644
--- a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+++ b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
@@ -3,7 +3,7 @@
  * @description Priveleged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision very-high
  * @security-severity 9.3
@@ -17,12 +17,14 @@ import actions
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 
-from LocalJob j, PRHeadCheckoutStep checkout
+query predicate edges(Step a, Step b) { a.getAFollowingStep() = b }
+
+from LocalJob j, PRHeadCheckoutStep checkout, PoisonableStep s
 where
   j = checkout.getEnclosingJob() and
   j.getAStep() = checkout and
   // the checkout is followed by a known poisonable step
-  checkout.getAFollowingStep() instanceof PoisonableStep and
+  checkout.getAFollowingStep() = s and
   // the checkout is not controlled by an access check
   not exists(ControlCheck check | check.dominates(checkout)) and
   // the checkout occurs in a privileged context
@@ -31,4 +33,4 @@ where
     or
     inPrivilegedExternallyTriggerableJob(checkout)
   )
-select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow."
+select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow."
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml
new file mode 100644
index 00000000000..3b532e4cc67
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml
@@ -0,0 +1,48 @@
+run-name: Cleanup ${{ github.head_ref }}
+on:
+  pull_request_target:
+    types: labeled
+    paths:
+      - 'images/**'
+
+jobs:
+  clean_ci:
+    name: Clean CI runs
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: pwsh
+        run: |
+          $startDate = Get-Date -UFormat %s
+          $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022")
+          while ($true) {
+            $continue = $false
+            foreach ($wf in $workflows) {
+              $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId"
+              $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId }
+              $skippedIds | ForEach-Object {
+                $deleteCommand = "gh run delete --repo ${{ github.repository }} $_"
+                Invoke-Expression -Command $deleteCommand
+              }
+              $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'"
+              $pending = Invoke-Expression -Command $pendingCommand
+              if ($pending -gt 0) {
+                Write-Host "Pending for ${wf}.yml: $pending run(s)"
+                $continue = $true
+              }
+            }
+            if ($continue -eq $false) {
+              Write-Host "All done, exiting"
+              break
+            }
+            $curDate = Get-Date -UFormat %s
+            if (($curDate - $startDate) -gt 60) {
+              Write-Host "Reached timeout, exiting"
+              break
+            }
+            Write-Host "Waiting 5 seconds..."
+            Start-Sleep -Seconds 5
+          }
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
index f34915f45c2..1b98263c16e 100644
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -249,6 +249,8 @@ nodes
 | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
 | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
 | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -348,6 +350,8 @@ subpaths
 | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} |
 | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} |
 | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |
 | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
index d919880e726..35887c3b370 100644
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -249,6 +249,8 @@ nodes
 | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
 | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
 | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
index d434bd63c51..6a91d49c0ca 100644
--- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
+++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
@@ -1,12 +1,122 @@
-| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step |
-| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step |
-| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step |
-| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step |
-| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step |
-| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step |
-| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step |
-| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step |
-| .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step |
-| .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step |
-| .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step |
-| .github/workflows/test17.yml:15:9:20:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Uses Step |
+edges
+| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step |
+| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step |
+| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step |
+| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step |
+| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step |
+| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step |
+| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step |
+| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step |
+| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step |
+| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step |
+| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step |
+| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step |
+| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step |
+| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step |
+| .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step |
+| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step |
+| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step |
+| .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step |
+| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step |
+| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step |
+| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step |
+| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step |
+| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step |
+| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step |
+| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step |
+| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:15:9:17:2 | Run Step |
+| .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step |
+| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step |
+| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:26:9:28:2 | Uses Step |
+| .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step |
+| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step |
+| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:37:9:37:75 | Run Step |
+| .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step |
+| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step |
+| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:19:9:23:6 | Uses Step |
+| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:23:9:24:21 | Run Step |
+| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step |
+| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step |
+| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step |
+| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step |
+| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:19:9:20:30 | Run Step |
+| .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step |
+| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step |
+| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step |
+| .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step |
+| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step |
+| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step |
+| .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step |
+| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step |
+| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step |
+| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step |
+| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step |
+| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step |
+| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step |
+| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step |
+| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step |
+| .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step |
+| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step |
+| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step |
+| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step |
+| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step |
+| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step |
+| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:27:9:30:6 | Run Step |
+| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:30:9:31:54 | Run Step |
+| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step |
+| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step |
+| .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step |
+| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step |
+| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step |
+| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
+| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step |
+| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:40:7:41:4 | Run Step |
+| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
+| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step |
+| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
+| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
+| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
+| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+#select
+| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch |
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
index 92d5a0b5ce1..29b311435dd 100644
--- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
+++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -1,8 +1,265 @@
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+edges
+| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
+| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
+| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact | .github/workflows/artifactpoisoning7.yml:20:9:21:52 | Run Step |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
+| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
+| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare |
+| .github/workflows/artifactpoisoning61.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step |
+| .github/workflows/artifactpoisoning61.yml:41:9:53:6 | Run Step: prepare | .github/workflows/artifactpoisoning61.yml:53:9:53:50 | Run Step |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step |
+| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step |
+| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step |
+| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step |
+| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step |
+| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step |
+| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step |
+| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files |
+| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm |
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step |
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step |
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step |
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step |
+| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step |
+| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step |
+| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step |
+| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step |
+| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step |
+| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step |
+| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step |
+| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step |
+| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step |
+| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step |
+| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step |
+| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step |
+| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step |
+| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step |
+| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step |
+| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step |
+| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step |
+| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step |
+| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step |
+| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step |
+| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step |
+| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step |
+| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha |
+| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step |
+| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step |
+| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr |
+| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha |
+| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step |
+| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step |
+| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step |
+| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step |
+| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step |
+| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities |
+| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities |
+| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step |
+| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step |
+| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step |
+| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step |
+| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step |
+| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step |
+| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step |
+| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step |
+| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step |
+| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step |
+| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step |
+| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step |
+| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step |
+| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step |
+| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step |
+| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step |
+| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step |
+| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step |
+| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step |
+| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step |
+| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step |
+| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step |
+| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step |
+| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step |
+| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
+| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
+| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
+| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
+| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
+| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
+| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |
+| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |
+| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |
+| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
+#select
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |
+| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. |