From d344d9b97ad8811b8d2b72953bff3b7516744825 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Thu, 6 Jun 2024 17:23:10 +0200
Subject: [PATCH] Update to latest dataflow shared library

---
 ql/lib/codeql-pack.lock.yml                   |  12 +-
 ql/lib/codeql/actions/DataFlow.qll            |   9 +-
 ql/lib/codeql/actions/TaintTracking.qll       |   5 +-
 .../internal/DataFlowImplSpecific.qll         |   3 +-
 .../dataflow/internal/DataFlowPrivate.qll     |  39 ++++-
 .../dataflow/internal/DataFlowPublic.qll      |   2 +-
 .../internal/TaintTrackingImplSpecific.qll    |   3 +-
 .../internal/TaintTrackingPrivate.qll         |   8 +-
 ql/lib/qlpack.gbo                             |  13 --
 ql/lib/qlpack.yml                             |   8 +-
 ql/test/codeql-pack.lock.yml                  |  12 +-
 .../CWE-020/CompositeActionsSinks.expected    |   8 +-
 .../CWE-020/CompositeActionsSources.expected  |   6 +-
 .../CompositeActionsSummaries.expected        |   6 +-
 .../CWE-020/ReusableWorkflowsSinks.expected   |   2 +-
 .../CWE-020/ReusableWorkflowsSources.expected |   6 +-
 .../ReusableWorkflowsSummaries.expected       |  10 +-
 .../CWE-077/EnvPathInjectionCritical.expected |  12 +-
 .../CWE-077/EnvPathInjectionMedium.expected   |  12 +-
 .../CWE-077/EnvVarInjectionCritical.expected  |  24 +--
 .../CWE-077/EnvVarInjectionMedium.expected    |  24 +--
 .../CWE-094/CodeInjectionCritical.expected    | 160 +++++++++---------
 .../CWE-094/CodeInjectionMedium.expected      | 160 +++++++++---------
 .../ArtifactPoisoningCritical.expected        |  26 +--
 .../CWE-829/ArtifactPoisoningMedium.expected  |  26 +--
 25 files changed, 310 insertions(+), 286 deletions(-)
 delete mode 100644 ql/lib/qlpack.gbo

diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml
index 84a6ccba26d..4b8239b7f6c 100644
--- a/ql/lib/codeql-pack.lock.yml
+++ b/ql/lib/codeql-pack.lock.yml
@@ -2,15 +2,15 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.1.8
+    version: 1.0.0
   codeql/dataflow:
-    version: 0.1.8
+    version: 1.0.0
   codeql/ssa:
-    version: 0.2.8
+    version: 1.0.0
   codeql/typetracking:
-    version: 0.2.8
+    version: 1.0.0
   codeql/util:
-    version: 0.2.8
+    version: 1.0.0
   codeql/yaml:
-    version: 0.1.5
+    version: 1.0.0
 compiled: false
diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll
index 1e30061bf45..feafe4f68bb 100644
--- a/ql/lib/codeql/actions/DataFlow.qll
+++ b/ql/lib/codeql/actions/DataFlow.qll
@@ -2,18 +2,21 @@
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) data flow analyses.
  */
+
+import codeql.Locations
+
 module DataFlow {
   private import codeql.dataflow.DataFlow
   private import codeql.actions.dataflow.internal.DataFlowImplSpecific
-  import DataFlowMake<ActionsDataFlow>
+  import DataFlowMake<Location, ActionsDataFlow>
   import codeql.actions.dataflow.internal.DataFlowPublic
   // debug
   private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific
   import codeql.dataflow.internal.DataFlowImplConsistency as DFIC
 
-  module ActionsConsistency implements DFIC::InputSig<ActionsDataFlow> { }
+  module ActionsConsistency implements DFIC::InputSig<Location, ActionsDataFlow> { }
 
   module Consistency {
-    import DFIC::MakeConsistency<ActionsDataFlow, ActionsTaintTracking, ActionsConsistency>
+    import DFIC::MakeConsistency<Location, ActionsDataFlow, ActionsTaintTracking, ActionsConsistency>
   }
 }
diff --git a/ql/lib/codeql/actions/TaintTracking.qll b/ql/lib/codeql/actions/TaintTracking.qll
index 16d5d826aa8..8203a54dfeb 100644
--- a/ql/lib/codeql/actions/TaintTracking.qll
+++ b/ql/lib/codeql/actions/TaintTracking.qll
@@ -2,9 +2,12 @@
  * Provides classes for performing local (intra-procedural) and
  * global (inter-procedural) taint-tracking analyses.
  */
+
+import codeql.Locations
+
 module TaintTracking {
   private import codeql.actions.dataflow.internal.DataFlowImplSpecific
   private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<ActionsDataFlow, ActionsTaintTracking>
+  import TaintFlowMake<Location, ActionsDataFlow, ActionsTaintTracking>
 }
diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll
index 2d3b9696ef6..2e3c13f164c 100644
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll
@@ -4,8 +4,9 @@
  */
 
 private import codeql.dataflow.DataFlow
+private import codeql.Locations
 
-module ActionsDataFlow implements InputSig {
+module ActionsDataFlow implements InputSig<Location> {
   import DataFlowPrivate as Private
   import DataFlowPublic
   import Private
diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
index b6b7cd53927..17b29f57025 100644
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
@@ -1,3 +1,4 @@
+private import codeql.util.Unit
 private import codeql.dataflow.DataFlow
 private import codeql.actions.Ast
 private import codeql.actions.Cfg as Cfg
@@ -8,6 +9,8 @@ private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.dataflow.FlowSteps
 private import codeql.actions.dataflow.FlowSources
 
+class DataFlowSecondLevelScope = Unit;
+
 cached
 newtype TNode = TExprNode(DataFlowExpr e)
 
@@ -78,6 +81,9 @@ class DataFlowCall instanceof Cfg::Node {
   string getName() { result = super.getAstNode().(Uses).getCallee() }
 
   DataFlowCallable getEnclosingCallable() { result = super.getScope() }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() { none() }
 }
 
 /**
@@ -104,6 +110,9 @@ class DataFlowCallable instanceof Cfg::CfgScope {
                     .indexOf(["/action.yml", "/action.yaml"]))
       else none()
   }
+
+  /** Gets a best-effort total ordering. */
+  int totalorder() { none() }
 }
 
 newtype TReturnKind = TNormalReturn()
@@ -158,6 +167,19 @@ newtype TContent =
 
 predicate forceHighPrecision(Content c) { c instanceof FieldContent }
 
+class NodeRegion instanceof Unit {
+  string toString() { result = "NodeRegion" }
+
+  predicate contains(Node n) { none() }
+
+  int totalOrder() { result = 1 }
+}
+
+/**
+ * Holds if the nodes in `nr` are unreachable when the call context is `call`.
+ */
+predicate isUnreachableInCall(NodeRegion nr, DataFlowCall call) { none() }
+
 class ContentApprox = ContentSet;
 
 ContentApprox getContentApprox(Content c) { result = c }
@@ -287,9 +309,13 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
 }
 
 /**
- * a simple local flow step that should always preserve the call context (same callable)
+ * This is the local flow predicate that is used as a building block in global
+ * data flow.
  */
-predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) }
+cached
+predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
+  localFlowStep(nodeFrom, nodeTo) and model = ""
+}
 
 /**
  * Holds if data can flow from `node1` to `node2` through a non-local step
@@ -366,11 +392,6 @@ predicate clearsContent(Node n, ContentSet c) { none() }
  */
 predicate expectsContent(Node n, ContentSet c) { none() }
 
-/**
- * Holds if the node `n` is unreachable when the call context is `call`.
- */
-predicate isUnreachableInCall(Node n, DataFlowCall call) { none() }
-
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
  * side-effect, resulting in a summary from `p` to itself.
@@ -400,3 +421,7 @@ predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preserves
  * This compression is normally done to not show SSA steps, casts, etc.
  */
 predicate neverSkipInPathGraph(Node node) { any() }
+
+predicate knownSourceModel(Node source, string model) { none() }
+
+predicate knownSinkModel(Node sink, string model) { none() }
diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll
index 87e8124db91..96568f86db3 100644
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll
@@ -178,7 +178,7 @@ class FieldContent extends Content, TFieldContent {
 
 predicate hasLocalFlow(Node n1, Node n2) {
   n1 = n2 or
-  simpleLocalFlowStep(n1, n2) or
+  simpleLocalFlowStep(n1, n2, _) or
   exists(ContentSet c | ctxFieldReadStep(n1, n2, c))
 }
 
diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll
index c2d51748f20..2fd062e7660 100644
--- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingImplSpecific.qll
@@ -3,9 +3,10 @@
  * Implementation of https://github.com/github/codeql/blob/main/shared/dataflow/codeql/dataflow/TaintTracking.qll
  */
 
+private import codeql.Locations
 private import codeql.dataflow.TaintTracking
 private import DataFlowImplSpecific
 
-module ActionsTaintTracking implements InputSig<ActionsDataFlow> {
+module ActionsTaintTracking implements InputSig<Location, ActionsDataFlow> {
   import TaintTrackingPrivate
 }
diff --git a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll
index a7e0d23df2b..b8647339d24 100644
--- a/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/TaintTrackingPrivate.qll
@@ -14,12 +14,16 @@ private import codeql.actions.Ast
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
+// predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+//   any(AdditionalTaintStep s).step(nodeFrom, nodeTo)
+// }
 /**
  * Holds if the additional step from `nodeFrom` to `nodeTo` should be included
  * in all global taint flow configurations.
  */
-predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  any(AdditionalTaintStep s).step(nodeFrom, nodeTo)
+cached
+predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
+  any(AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = ""
 }
 
 /**
diff --git a/ql/lib/qlpack.gbo b/ql/lib/qlpack.gbo
deleted file mode 100644
index c77f7924c12..00000000000
--- a/ql/lib/qlpack.gbo
+++ /dev/null
@@ -1,13 +0,0 @@
----
-warnOnImplicitThis: false
-name: seclab/actions-all
-version: 0.0.1-dev
-groups: actions
-extractor: actions
-library: true
-tests: test
-dependencies:
-  codeql/javascript-all: ^0.8.7
-  "codeql/controlflow": "*"
-  "codeql/dataflow": "*"
-  "codeql/ssa": "*"
diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml
index bf05e80e0a6..48045dbf679 100644
--- a/ql/lib/qlpack.yml
+++ b/ql/lib/qlpack.yml
@@ -4,10 +4,10 @@ warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
 version: 0.0.33
 dependencies:
-  codeql/util: ^0.2.0
-  codeql/yaml: ^0.1.2
-  codeql/controlflow: ^0.1.0
-  codeql/dataflow: ^0.1.0
+  codeql/util: ^1.0.0
+  codeql/yaml: ^1.0.0
+  codeql/controlflow: ^1.0.0
+  codeql/dataflow: ^1.0.0
 dbscheme: yaml.dbscheme
 extractor: yaml
 groups:
diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml
index 84a6ccba26d..4b8239b7f6c 100644
--- a/ql/test/codeql-pack.lock.yml
+++ b/ql/test/codeql-pack.lock.yml
@@ -2,15 +2,15 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.1.8
+    version: 1.0.0
   codeql/dataflow:
-    version: 0.1.8
+    version: 1.0.0
   codeql/ssa:
-    version: 0.2.8
+    version: 1.0.0
   codeql/typetracking:
-    version: 0.2.8
+    version: 1.0.0
   codeql/util:
-    version: 0.2.8
+    version: 1.0.0
   codeql/yaml:
-    version: 0.1.5
+    version: 1.0.0
 compiled: false
diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected
index 31e367ac317..0a5bfe433e9 100644
--- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected
+++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected
@@ -1,8 +1,8 @@
 edges
-| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet |
-| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet |
-| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value |
-| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance |  |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance |  |
+| action1/action.yml:24:7:31:4 | Uses Step: replace [value] | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | provenance |  |
+| action1/action.yml:28:18:28:43 | inputs.who-to-greet | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | provenance |  |
 nodes
 | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
 | action1/action.yml:24:7:31:4 | Uses Step: replace [value] | semmle.label | Uses Step: replace [value] |
diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected
index 6540b191068..87c185fb5e1 100644
--- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected
+++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected
@@ -1,7 +1,7 @@
 edges
-| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files |
-| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted |
-| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] |
+| action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | provenance |  |
+| action1/action.yml:44:7:48:70 | Run Step: source [tainted] | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | provenance |  |
+| action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | provenance |  |
 nodes
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | semmle.label | steps.source.outputs.tainted |
 | action1/action.yml:42:7:44:4 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
diff --git a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected
index 063a26bd6ef..067edb68bb1 100644
--- a/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected
+++ b/ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected
@@ -1,7 +1,7 @@
 edges
-| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet |
-| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected |
-| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance |  |
+| action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
+| action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance |  |
 nodes
 | action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | semmle.label | steps.reflector.outputs.reflected |
diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected
index a45b9acf416..f2178960774 100644
--- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected
+++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected
@@ -1,5 +1,5 @@
 edges
-| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path |
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | provenance |  |
 nodes
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected
index 2cabeaca9fa..c76034f74d4 100644
--- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected
+++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected
@@ -1,7 +1,7 @@
 edges
-| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 |
-| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] |
-| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance |  |
+| .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance |  |
+| .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance |  |
 nodes
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] |
diff --git a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected
index a6be99e1bd0..8589d82d825 100644
--- a/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected
+++ b/ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected
@@ -1,9 +1,9 @@
 edges
-| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path |
-| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 |
-| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] |
-| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output |
-| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] |
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance |  |
+| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance |  |
+| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance |  |
+| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance |  |
 nodes
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
 | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
index c6091f1fc23..7fab238795c 100644
--- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
@@ -1,10 +1,10 @@
 edges
-| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
-| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH |
-| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" |
-| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" |
+| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
+| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
 nodes
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
diff --git a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
index d3b90de71e3..ea360bc56df 100644
--- a/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
@@ -1,10 +1,10 @@
 edges
-| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
-| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH |
-| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" |
-| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" |
+| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance |  |
+| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
+| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
 nodes
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
index ffaaf91e550..0dbff955318 100644
--- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
@@ -1,16 +1,16 @@
 edges
-| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
-| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
-| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n |
-| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
-| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV |
-| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
+| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance |  |
+| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance |  |
+| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance |  |
+| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | provenance |  |
+| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance |  |
 nodes
 | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
index 28fffe0e5e4..5641ea53afd 100644
--- a/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
@@ -1,16 +1,16 @@
 edges
-| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
-| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
-| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
-| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n |
-| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
-| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV |
-| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
+| .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance |  |
+| .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
+| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | provenance |  |
+| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | provenance |  |
+| .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | provenance |  |
+| .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | provenance |  |
 nodes
 | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | semmle.label | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
index f7b4ae7bc11..fdb5beb09aa 100644
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -1,84 +1,84 @@
 edges
-| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced |
-| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE |
-| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" |
-| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id |
-| .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] |
-| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id |
-| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" |
-| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id |
-| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] |
-| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files |
-| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files |
-| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced |
-| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED |
-| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED |
-| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message |
-| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url |
-| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] |
-| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url |
-| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
-| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url |
-| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
-| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env |
-| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env |
-| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env |
-| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log |
-| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log |
-| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output |
-| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] |
-| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value |
-| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value |
-| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] |
-| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value |
-| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] |
-| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value |
-| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] |
-| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY |
-| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files |
-| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files |
-| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload |
-| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] |
-| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] |
-| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
-| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
-| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] |
-| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG |
-| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] |
-| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 |
-| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] |
-| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 |
-| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] |
-| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 |
-| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] |
-| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 |
-| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] |
+| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | provenance |  |
+| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance |  |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance |  |
+| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance |  |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance |  |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance |  |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance |  |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance |  |
+| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance |  |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance |  |
+| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance |  |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | provenance |  |
+| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | provenance |  |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | provenance |  |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance |  |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance |  |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance |  |
+| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance |  |
+| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance |  |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | provenance |  |
+| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | provenance |  |
+| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | provenance |  |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | provenance |  |
+| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance |  |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance |  |
+| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | provenance |  |
+| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance |  |
+| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance |  |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance |  |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance |  |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance |  |
+| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance |  |
+| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | provenance |  |
+| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | provenance |  |
+| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | provenance |  |
+| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | provenance |  |
+| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | provenance |  |
+| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | provenance |  |
+| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | provenance |  |
+| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | provenance |  |
+| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | provenance |  |
+| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | provenance |  |
+| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | provenance |  |
 nodes
 | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
index be5a4e60b72..bd20179796e 100644
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -1,84 +1,84 @@
 edges
-| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced |
-| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE |
-| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" |
-| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id |
-| .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] |
-| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id |
-| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" |
-| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id |
-| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] |
-| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files |
-| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files |
-| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
-| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced |
-| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
-| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED |
-| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED |
-| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message |
-| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url |
-| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] |
-| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url |
-| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
-| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url |
-| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
-| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output |
-| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value |
-| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
-| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env |
-| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env |
-| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env |
-| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log |
-| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log |
-| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output |
-| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] |
-| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value |
-| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value |
-| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] |
-| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value |
-| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] |
-| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value |
-| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] |
-| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY |
-| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files |
-| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files |
-| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload |
-| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] |
-| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] |
-| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
-| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
-| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] |
-| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG |
-| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] |
-| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 |
-| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] |
-| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 |
-| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] |
-| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 |
-| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] |
-| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 |
-| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] |
+| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | provenance |  |
+| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance |  |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance |  |
+| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance |  |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance |  |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance |  |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance |  |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance |  |
+| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance |  |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance |  |
+| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance |  |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | provenance |  |
+| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | provenance |  |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | provenance |  |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance |  |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance |  |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance |  |
+| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance |  |
+| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance |  |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | provenance |  |
+| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | provenance |  |
+| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | provenance |  |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | provenance |  |
+| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance |  |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance |  |
+| .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | provenance |  |
+| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance |  |
+| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance |  |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance |  |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance |  |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance |  |
+| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance |  |
+| .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | provenance |  |
+| .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | provenance |  |
+| .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | .github/workflows/test.yml:18:9:24:6 | Run Step: step1 [MSG] | provenance |  |
+| .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | provenance |  |
+| .github/workflows/test.yml:26:19:26:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:24:9:28:6 | Run Step: step2 [MSG2] | provenance |  |
+| .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | provenance |  |
+| .github/workflows/test.yml:30:20:30:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:28:9:32:6 | Run Step: step3 [MSG3] | provenance |  |
+| .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | provenance |  |
+| .github/workflows/test.yml:34:20:34:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:32:9:36:6 | Run Step: step4 [MSG4] | provenance |  |
+| .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | provenance |  |
+| .github/workflows/test.yml:38:20:38:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:36:9:41:2 | Run Step: step5 [MSG5] | provenance |  |
 nodes
 | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
index a792da27900..c6733eb66b8 100644
--- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
+++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
@@ -1,17 +1,17 @@
 edges
-| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build |
-| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n |
-| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd |
-| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd |
-| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n |
-| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n |
-| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n |
-| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd |
-| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd |
-| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
-| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
-| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance |  |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance |  |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance |  |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance |  |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance |  |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance |  |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance |  |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance |  |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance |  |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 nodes
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
index 193eee3b66c..a18aa5bdc80 100644
--- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
+++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
@@ -1,17 +1,17 @@
 edges
-| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build |
-| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n |
-| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd |
-| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd |
-| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n |
-| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n |
-| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n |
-| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd |
-| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd |
-| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n |
-| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
-| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:61 | ./x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance |  |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | provenance |  |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | provenance |  |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | provenance |  |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | provenance |  |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | provenance |  |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | provenance |  |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | provenance |  |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance |  |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:23:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\nls \| grep -E "*.(tar.gz\|zip)$" >> "${GITHUB_ENV}"\nls \| grep -E "*.(txt\|md)$" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance |  |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 nodes
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |