From 86c5d9f1cd9686d55d81c7b4b48ea2d06ffcec72 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 27 Feb 2025 11:48:27 -0500
Subject: [PATCH] Move list of immutable actions into internal model pack for
 now.

---
 .../ext/immutable_actions.yml                 | 28 +++++++++++++++++++
 .../immutable-actions-list/qlpack.yml         | 13 +++++++++
 .../ql/lib/ext/config/immutable_actions.yml   | 24 ++++------------
 .../lib/ext/config/trusted_actions_owner.yml  |  3 +-
 actions/ql/test/qlpack.yml                    |  4 +++
 codeql-workspace.yml                          |  2 +-
 6 files changed, 54 insertions(+), 20 deletions(-)
 create mode 100644 actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
 create mode 100644 actions/ql/extensions/immutable-actions-list/qlpack.yml

diff --git a/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
new file mode 100644
index 00000000000..1b78930778a
--- /dev/null
+++ b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]
diff --git a/actions/ql/extensions/immutable-actions-list/qlpack.yml b/actions/ql/extensions/immutable-actions-list/qlpack.yml
new file mode 100644
index 00000000000..cc957721c12
--- /dev/null
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -0,0 +1,13 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: github/immutable-actions-list
+version: 0.0.1-dev
+library: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml
diff --git a/actions/ql/lib/ext/config/immutable_actions.yml b/actions/ql/lib/ext/config/immutable_actions.yml
index d6a9b1020d7..6a57ce21d53 100644
--- a/actions/ql/lib/ext/config/immutable_actions.yml
+++ b/actions/ql/lib/ext/config/immutable_actions.yml
@@ -2,21 +2,9 @@ extensions:
   - addsTo:
       pack: codeql/actions-all
       extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `github/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []
diff --git a/actions/ql/lib/ext/config/trusted_actions_owner.yml b/actions/ql/lib/ext/config/trusted_actions_owner.yml
index c90b1afee76..9efc450e334 100644
--- a/actions/ql/lib/ext/config/trusted_actions_owner.yml
+++ b/actions/ql/lib/ext/config/trusted_actions_owner.yml
@@ -5,4 +5,5 @@ extensions:
     data:      
       - ["actions"]
       - ["github"]
-      - ["advanced-security"]
\ No newline at end of file
+      - ["advanced-security"]
+      - ["octokit"]
diff --git a/actions/ql/test/qlpack.yml b/actions/ql/test/qlpack.yml
index 12711bee904..8eaedd2f690 100644
--- a/actions/ql/test/qlpack.yml
+++ b/actions/ql/test/qlpack.yml
@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
   codeql/actions-all: ${workspace}
   codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  github/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true
diff --git a/codeql-workspace.yml b/codeql-workspace.yml
index bfd3106f97a..32cad09e20c 100644
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -17,7 +17,7 @@ provide:
   - "misc/legacy-support/*/qlpack.yml"
   - "misc/suite-helpers/qlpack.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
   default:
     requireChangeNotes: true