Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -40,9 +40,10 @@ class GitHubCtxSource extends RemoteFlowSource {
 
 class GitHubEventCtxSource extends RemoteFlowSource {
   string flag;
+  string context;
 
   GitHubEventCtxSource() {
-    exists(Expression e, string context, string regexp |
+    exists(Expression e, string regexp |
       this.asExpr() = e and
       context = e.getExpression() and
       (
@@ -62,6 +63,8 @@ class GitHubEventCtxSource extends RemoteFlowSource {
   }
 
   override string getSourceType() { result = flag }
+
+  string getContext() { result = context }
 }
 
 abstract class CommandSource extends RemoteFlowSource {

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -197,9 +197,23 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
   ActionsMutableRefCheckout() {
     this.getCallee() = "actions/checkout" and
     (
-      exists(ActionsMutableRefCheckoutFlow::PathNode sink |
-        ActionsMutableRefCheckoutFlow::flowPath(_, sink) and
-        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"])
+      exists(
+        ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink
+      |
+        ActionsMutableRefCheckoutFlow::flowPath(source, sink) and
+        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and
+        (
+          not source.getNode() instanceof GitHubEventCtxSource
+          or
+          source.getNode() instanceof GitHubEventCtxSource and
+          // the context is available for the job trigger events
+          exists(string context, string context_prefix |
+            contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(),
+              context_prefix) and
+            context = source.getNode().(GitHubEventCtxSource).getContext() and
+            normalizeExpr(context).matches("%" + context_prefix + "%")
+          )
+        )
       )
       or
       // heuristic base on the step id and field name
@@ -241,9 +255,21 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
   ActionsSHACheckout() {
     this.getCallee() = "actions/checkout" and
     (
-      exists(ActionsSHACheckoutFlow::PathNode sink |
-        ActionsSHACheckoutFlow::flowPath(_, sink) and
-        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"])
+      exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink |
+        ActionsSHACheckoutFlow::flowPath(source, sink) and
+        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and
+        (
+          not source.getNode() instanceof GitHubEventCtxSource
+          or
+          source.getNode() instanceof GitHubEventCtxSource and
+          // the context is available for the job trigger events
+          exists(string context, string context_prefix |
+            contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(),
+              context_prefix) and
+            context = source.getNode().(GitHubEventCtxSource).getContext() and
+            normalizeExpr(context).matches("%" + context_prefix + "%")
+          )
+        )
       )
       or
       // heuristic base on the step id and field name

ql/lib/ext/config/context_event_map.yml

@@ -40,8 +40,6 @@ extensions:
       - ["push", "github.event.commits"]
       - ["push", "github.event.head_commit"]
       - ["push", "github.event.changes"] 
-      - ["repository_dispatch", "github.event.client_payload"]
-      - ["workflow_dispatch", "github.event.inputs"]
       - ["workflow_run", "github.event.workflow"]
       - ["workflow_run", "github.event.workflow_run"]
       - ["workflow_run", "github.event.changes"] 

ql/lib/ext/config/externally_triggereable_events.yml

@@ -16,4 +16,5 @@ extensions:
       - ["pull_request_target"]
       - ["workflow_run"] # depending on branch filter
       - ["workflow_call"] # depending on caller
-
+      - ["workflow_dispatch"] 
+      - ["scheduled"]

ql/lib/ext/config/untrusted_event_properties.yml

@@ -24,8 +24,6 @@ extensions:
       - ["github\\.event\\.workflow_run\\.head_commit\\.message", "text"]
       - ["github\\.event\\.pull_request\\.head\\.repo\\.description", "text"]
       - ["github\\.event\\.workflow_run\\.head_repository\\.description", "text"]
-      - ["github\\.event\\.client_payload\\[[0-9]+\\]", "text"]
-      - ["github\\.event\\.client_payload", "text"]
       - ["github\\.event\\.changes\\.body\\.from", "title"]
       # BRANCH
       - ["github\\.event\\.pull_request\\.head\\.repo\\.default_branch", "branch"]
@@ -59,7 +57,6 @@ extensions:
       # JSON
       - ["github", "json"]
       - ["github\\.event", "json"]
-      - ["github\\.event\\.client_payload", "json"]
       - ["github\\.event\\.comment", "json"]
       - ["github\\.event\\.commits", "json"]
       - ["github\\.event\\.discussion", "json"]

ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -47,6 +47,8 @@ where
   ) and
   // the checkout occurs in a privileged context
   inPrivilegedContext(poisonable, event) and
+  not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
   not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
-select poisonable, checkout, poisonable, "Execution of untrusted code on a privileged workflow. $@",
-  event, event.getLocation().getFile().toString()
+select poisonable, checkout, poisonable,
+  "Execution of untrusted code on a privileged workflow ($@)", event,
+  event.getLocation().getFile().toString()

ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected

@@ -1,13 +1,6 @@
 edges
-| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance |  |
-| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance |  |
-| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance |  |
 nodes
-| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand |
-| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand |
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
-| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name |
-| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name |
 subpaths
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} |

ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected

@@ -1,14 +1,5 @@
 edges
-| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | provenance |  |
-| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance |  |
-| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | provenance |  |
 nodes
-| .github/actions/run-airbyte-ci/action.yaml:4:3:4:12 | input subcommand | semmle.label | input subcommand |
-| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | semmle.label | inputs.subcommand |
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
-| .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name |
-| .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | semmle.label | github.event.client_payload.connector_name |
 subpaths
 #select
-| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:46:42:46:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} |
-| .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | .github/workflows/test1.yml:63:42:63:90 | github.event.client_payload.connector_name | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | Potential command injection in $@, which may be controlled by an external user. | .github/actions/run-airbyte-ci/action.yaml:163:118:163:141 | inputs.subcommand | ${{ inputs.subcommand }} |

ql/test/query-tests/Security/CWE-094/.github/workflows/test18.yml

@@ -0,0 +1,33 @@
+on:
+  workflow_dispatch:
+
+jobs:
+  fetch-issues:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch open issues
+        id: issues
+        uses: octokit/request-action@v2.x
+        with:
+          route: GET /repos/foo/bar/issues?state=open
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUBACTIONS_TOKEN }}
+
+      - name: Write issues to file
+        run: |
+          echo '${{ steps.issues.outputs.data }}' > issues.json
+          
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+
+      - name: Print issue URLs
+        run: |
+          const fs = require('fs');
+          const issues = JSON.parse(fs.readFileSync('issues.json', 'utf8'));
+          const filteredIssues = issues.filter(issue => issue.body.includes('Is your portal managed or self-hosted?\r\n\r\nManaged'));
+          for (const issue of filteredIssues) {
+            console.log(issue.html_url);
+          }
+        shell: bash

ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -159,6 +159,7 @@ edges
 | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance |  |
 | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance |  |
 | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance |  |
+| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -484,6 +485,8 @@ nodes
 | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data |
 | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request |
 | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title |
+| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues |
+| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -639,6 +642,7 @@ subpaths
 | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} |
 | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} |
 | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} |
+| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} |
 | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
 | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -159,6 +159,7 @@ edges
 | .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance |  |
 | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance |  |
 | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance |  |
+| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -484,6 +485,8 @@ nodes
 | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data |
 | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request |
 | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title |
+| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues |
+| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |

ql/test/query-tests/Security/CWE-829/.github/workflows/test19.yml

@@ -0,0 +1,22 @@
+on:
+  pull_request_target:
+    types: [ opened, synchronize ]
+
+permissions: {}
+jobs:
+  test:
+    permissions:
+      contents: write
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    steps:
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v4
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+    - run: |
+        ./cmd

ql/test/query-tests/Security/CWE-829/.github/workflows/test20.yml

@@ -0,0 +1,22 @@
+on:
+  pull_request_target:
+    types: [ opened, synchronize ]
+
+permissions: {}
+jobs:
+  test:
+    permissions:
+      contents: write
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+    steps:
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v4
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+    - run: |
+        ./cmd

ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout.yml

@@ -1,15 +1,25 @@
 on:
-  pull_request_target
+  pull_request_target:
 
 jobs:
-  build:
+  test1:
     runs-on: ubuntu-latest
-    env:
-      HEAD: ${{ github.event.pull_request.head.sha }}
     steps:
       - uses: actions/checkout@v2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 21
+      - run: |
+          npm install
+          npm run lint
+  test2:
+    runs-on: ubuntu-latest
+    env:
+      HEAD: ${{ github.event.pull_request.head.sha }}
+    steps:
       - uses: actions/checkout@v2
         with:
           ref: ${{ env.HEAD }}

ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml

@@ -1,34 +1,8 @@
-name: Auto Bump Versions
-
 on:
   issue_comment:                                     
     types: [created, edited]
 
 jobs:
-  add-same-version-label-to-pr:
-    runs-on: ubuntu-latest
-    if: github.event.issue.pull_request && contains(github.event.comment.body, '/add-same-version-label')
-    steps:
-    - uses: actions/checkout@v3
-    - name: Add same version label
-      uses: actions/github-script@v6
-      if: success()
-      with:
-        github-token: ${{secrets.GITHUB_TOKEN}}
-        script: |
-          github.rest.issues.addLabels({
-            issue_number: context.issue.number,
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            labels: ['same version']
-          })
-          github.rest.issues.createComment({
-            issue_number: context.issue.number,
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            body: '👋 Added [same version] label :)!'
-          })
-
   build:
     if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version')
     runs-on: ubuntu-latest
@@ -75,26 +49,3 @@ jobs:
       run: |
         ./version.sh -u -p
         echo "BUMP_TYPE=patch" >> $GITHUB_ENV
-    
-    - name: Add labels
-      uses: actions/github-script@v6
-      if: ${{ env.BUMP_TYPE }}
-      with:
-        script: |
-          github.rest.issues.addLabels({
-            issue_number: context.issue.number,
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            labels: ['version/${{ env.BUMP_TYPE }}']
-          })
-
-    - name: Push Changes
-      if: ${{ env.BUMP_TYPE }}
-      run: |
-        git config user.name 'github-actions[bot]'
-        git config user.email 'github-actions[bot]@users.noreply.github.com'
-        git pull
-        git add .
-        git commit -m "Update ${{ env.BUMP_TYPE }} version" --signoff
-        git push
-        

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -265,6 +265,8 @@ edges
 | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step |
 | .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step |
+| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step |
+| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
 | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
@@ -274,16 +276,14 @@ edges
 | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step |
-| .github/workflows/untrusted_checkout4.yml:12:7:13:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:13:7:32:2 | Uses Step |
-| .github/workflows/untrusted_checkout4.yml:37:7:55:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step |
-| .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step |
-| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step |
-| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step |
-| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step |
-| .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:91:7:100:9 | Run Step |
-| .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step |
-| .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step |
-| .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step |
+| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step |
+| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step |
+| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step |
 | .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step |
 | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step |
 | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step |
@@ -294,44 +294,44 @@ edges
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
 #select
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml |
-| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml |
-| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml |
-| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml |
-| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml |
-| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml |
-| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
-| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
-| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
-| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
-| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml |
-| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml |
-| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
-| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
-| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |
-| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
-| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
-| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |
-| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml |
-| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml |
-| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
-| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml |
-| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
-| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
-| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
-| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml |
-| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml |
-| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml |
-| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml |
-| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
-| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
-| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout4.yml:4:3:4:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
-| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml |
-| .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml |
+| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml |
+| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml |
+| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
+| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
+| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml |
+| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml |
+| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml |
+| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | .github/workflows/pr-workflow-fork.yaml |
+| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller3.yaml |
+| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
+| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
+| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
+| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml |
+| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml |
+| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml |
+| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml |
+| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml |
+| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
+| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
+| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
+| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml |
+| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/untrusted_checkout.yml |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected

@@ -1,3 +1,7 @@
+| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
+| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
+| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
+| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
 | .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
 | .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |
 | .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow. |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected

@@ -4,10 +4,6 @@
 | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |