Make Artifact poisoning query a path problem

2026-03-20 14:36:46 +01:00 · 2024-04-11 15:46:49 +02:00
parent b761565dcf
commit ed70ef0307
8 changed files with 166 additions and 476 deletions
--- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll
+++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll
@@ -82,22 +82,18 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da
 }

 /**
- * A downloaded artifact that gets assigned to an env var declaration.
- * - uses: actions/download-artifact@v2
- * - run: echo "::set-env name=id::$(<pr-id.txt)"
+ * A download artifact step followed by a step that may use downloaded artifacts.
 */
-predicate artifactToEnvStep(DataFlow::Node pred, DataFlow::Node succ) {
-  exists(Run run, string key, string value, ArtifactDownloadStep download |
+predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(ArtifactDownloadStep download, Run run |
    pred.asExpr() = download and
    succ.asExpr() = run and
-    download.getAFollowingStep() = run and
-    Utils::writeToGitHubEnv(run, key, value) and
-    value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
+    download.getAFollowingStep() = run
  )
 }

-class ArtifactDownloadToEnvTaintStep extends AdditionalTaintStep {
+class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep {
  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    artifactToEnvStep(node1, node2)
+    artifactDownloadToUseStep(node1, node2)
  }
 }
--- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -1,4 +1,8 @@
 import actions
+private import codeql.actions.TaintTracking
+import codeql.actions.DataFlow
+private import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.dataflow.FlowSources

 string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" }

@@ -254,3 +258,20 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run {
    )
  }
 }
+
+class ArtifactPoisoningSink extends DataFlow::Node {
+  ArtifactPoisoningSink() { this.asExpr() instanceof PoisonableStep }
+}
+
+/**
+ * A taint-tracking configuration for unsafe artifacts
+ * that is used may lead to artifact poisoning
+ */
+private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink }
+}
+
+/** Tracks flow of unsafe artifacts that is used in an insecure way. */
+module ArtifactPoisoningFlow = TaintTracking::Global<ArtifactPoisoningConfig>;
--- a/ql/src/Security/CWE-829/ArtifactPoisoning.ql
+++ b/ql/src/Security/CWE-829/ArtifactPoisoning.ql
@@ -1,9 +1,9 @@
 /**
 * @name Artifact poisoning
 * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
- * @kind problem
+ * @kind path-problem
 * @problem.severity warning
- * @precision medium
+ * @precision high
 * @security-severity 9.3
 * @id actions/artifact-poisoning
 * @tags actions
@@ -13,11 +13,19 @@

 import actions
 import codeql.actions.security.ArtifactPoisoningQuery
+import ArtifactPoisoningFlow::PathGraph

-from LocalJob job, ArtifactDownloadStep downloadStep, PoisonableStep step
+from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink
 where
-  // Workflow is privileged
-  job.getWorkflow().isPrivileged() and
-  // Download step is followed by a step that may be poisoned by the download
-  downloadStep.getAFollowingStep() = step
-select downloadStep, "Potential artifact poisoning."
+  ArtifactPoisoningFlow::flowPath(source, sink) and
+  (
+    exists(source.getNode().asExpr().getEnclosingCompositeAction())
+    or
+    exists(Workflow w |
+      w = source.getNode().asExpr().getEnclosingWorkflow() and
+      not w.isPrivileged()
+    )
+  )
+select sink.getNode(), source, sink,
+  "Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
+  sink.getNode().toString()
--- a/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql
+++ b/ql/src/Security/CWE-829/PrivilegedArtifactPoisoning.ql
@@ -0,0 +1,27 @@
+/**
+ * @name Artifact poisoning
+ * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 9
+ * @id actions/privileged-artifact-poisoning
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.ArtifactPoisoningQuery
+import ArtifactPoisoningFlow::PathGraph
+
+from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink
+where
+  ArtifactPoisoningFlow::flowPath(source, sink) and
+  exists(Workflow w |
+    w = source.getNode().asExpr().getEnclosingWorkflow() and
+    w.isPrivileged()
+  )
+select sink.getNode(), source, sink,
+  "Potential privileged artifact poisoning in $@, which may be controlled by an external user.",
+  sink, sink.getNode().toString()
--- a/ql/test/library-tests/test.expected
+++ b/ql/test/library-tests/test.expected
@@ -1,446 +1,2 @@
-files
-| .github/workflows/expression_nodes.yml:0:0:0:0 | .github/workflows/expression_nodes.yml |
-| .github/workflows/test.yml:0:0:0:0 | .github/workflows/test.yml |
-workflows
-| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/test.yml:1:1:40:53 | on: push |
-reusableWorkflows
-compositeActions
-jobs
-| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-localJobs
-| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-extJobs
-steps
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
-| .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-runSteps
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | LINE 1echo '${{ github.event.comment.body }}' |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | echo ${{ steps.source.outputs.all_changed_files }} |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | ${{ github.event.pull_request.head.ref }} |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | echo ${{needs.job1.outputs.job_output}} |
-runExprs
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
-uses
-| .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-stepUses
-| .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-usesArgs
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | source | .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
-runStepChildren
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:13:26:23 | simplesink1 |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:13:28:23 | simplesink2 |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:13:39:16 | sink |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} |
-parentNodes
-| .github/workflows/expression_nodes.yml:1:5:1:17 | issue_comment | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:5:14:5:26 | ubuntu-latest | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' | .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
-| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:14:7:58 | LINE 1echo '${{ github.event.comment.body }}' |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
-| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:8:14:9:57 | LINE 1 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
-| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:10:14:12:53 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n | .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:13:14:15:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}'\n |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n | .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
-| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:16:14:19:57 | LINE 1 echo '${{ github.event.comment.body }}'\nLINE 2 echo '${{github.event.issue.body}}'\nLINE 3 echo '${{ github.event.comment.body }}'\n |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' | .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | LINE 1 echo '${{ github.event.comment.body }}' echo '${{github.event.issue.body}}' |
-| .github/workflows/test.yml:1:5:1:8 | push | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:5:5:31:2 | Job: job1 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:5:14:5:26 | ubuntu-latest | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} | .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:19:8:49 | ${{ steps.step.outputs.value }} |
-| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:11:15:11:33 | actions/checkout@v4 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:13:24:13:24 | 0 | .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:15:15:15:31 | Get changed files | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:16:13:16:18 | source | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:17:15:17:42 | tj-actions/changed-files@v40 | .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:19:15:19:43 | Remove foo from changed files | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:20:13:20:16 | step | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:21:15:21:55 | mad9000/actions-find-and-replace-string@3 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:19:23:63 | ${{ steps.source.outputs.all_changed_files }} |
-| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:24:17:24:21 | foo | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:25:20:25:21 |  | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:25:20:25:21 |  | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:25:20:25:21 |  | .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:26:13:26:23 | simplesink1 | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} | .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:14:27:63 | echo ${{ steps.source.outputs.all_changed_files }} |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:28:13:28:23 | simplesink2 | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} | .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:14:29:54 | ${{ github.event.pull_request.head.ref }} |
-| .github/workflows/test.yml:32:5:40:53 | Job: job2 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:32:14:32:26 | ubuntu-latest | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
-| .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
-| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
-| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
-| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:36:12:36:15 | job1 |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:39:13:39:16 | sink | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} | .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:14:40:52 | echo ${{needs.job1.outputs.job_output}} |
-cfgNodes
-| .github/workflows/expression_nodes.yml:1:1:21:47 | enter on: issue_comment |
-| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment |
-| .github/workflows/expression_nodes.yml:1:1:21:47 | exit on: issue_comment (normal) |
-| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/expression_nodes.yml:5:5:21:47 | Job: echo-chamber |
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
-| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
-| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
-| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
-| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
-| .github/workflows/test.yml:1:1:40:53 | enter on: push |
-| .github/workflows/test.yml:1:1:40:53 | exit on: push |
-| .github/workflows/test.yml:1:1:40:53 | exit on: push (normal) |
-| .github/workflows/test.yml:1:1:40:53 | on: push |
-| .github/workflows/test.yml:5:5:31:2 | Job: job1 |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value |
-| .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
-| .github/workflows/test.yml:32:5:40:53 | Job: job2 |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
-dfNodes
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step |
-| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step |
-| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step |
-| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step |
-| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body |
-| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node |
-| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value |
-| .github/workflows/test.yml:11:9:15:6 | Uses Step |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step |
-| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 |
-| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 |
-| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink |
-| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
-argumentNodes
-| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files |
-usesIds
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | source |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | step |
-nodeLocations
-| .github/workflows/expression_nodes.yml:7:9:8:6 | Run Step | .github/workflows/expression_nodes.yml:7:9:8:6 | .github/workflows/expression_nodes.yml@7:9:8:6 |
-| .github/workflows/expression_nodes.yml:7:27:7:58 | github.event.comment.body | .github/workflows/expression_nodes.yml:7:27:7:58 | .github/workflows/expression_nodes.yml@7:27:7:58 |
-| .github/workflows/expression_nodes.yml:8:9:10:6 | Run Step | .github/workflows/expression_nodes.yml:8:9:10:6 | .github/workflows/expression_nodes.yml@8:9:10:6 |
-| .github/workflows/expression_nodes.yml:9:25:9:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:9:25:9:56 | .github/workflows/expression_nodes.yml@9:25:9:56 |
-| .github/workflows/expression_nodes.yml:10:9:13:6 | Run Step | .github/workflows/expression_nodes.yml:10:9:13:6 | .github/workflows/expression_nodes.yml@10:9:13:6 |
-| .github/workflows/expression_nodes.yml:11:25:11:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:11:25:11:56 | .github/workflows/expression_nodes.yml@11:25:11:56 |
-| .github/workflows/expression_nodes.yml:12:24:12:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:12:24:12:51 | .github/workflows/expression_nodes.yml@12:24:12:51 |
-| .github/workflows/expression_nodes.yml:13:9:16:6 | Run Step | .github/workflows/expression_nodes.yml:13:9:16:6 | .github/workflows/expression_nodes.yml@13:9:16:6 |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 |
-| .github/workflows/expression_nodes.yml:14:9:15:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:14:9:15:46 | .github/workflows/expression_nodes.yml@14:9:15:46 |
-| .github/workflows/expression_nodes.yml:16:9:20:6 | Run Step | .github/workflows/expression_nodes.yml:16:9:20:6 | .github/workflows/expression_nodes.yml@16:9:20:6 |
-| .github/workflows/expression_nodes.yml:17:25:17:56 | github.event.comment.body | .github/workflows/expression_nodes.yml:17:25:17:56 | .github/workflows/expression_nodes.yml@17:25:17:56 |
-| .github/workflows/expression_nodes.yml:18:24:18:51 | github.event.issue.body | .github/workflows/expression_nodes.yml:18:24:18:51 | .github/workflows/expression_nodes.yml@18:24:18:51 |
-| .github/workflows/expression_nodes.yml:19:24:19:55 | github.event.comment.body | .github/workflows/expression_nodes.yml:19:24:19:55 | .github/workflows/expression_nodes.yml@19:24:19:55 |
-| .github/workflows/expression_nodes.yml:20:9:21:47 | Run Step | .github/workflows/expression_nodes.yml:20:9:21:47 | .github/workflows/expression_nodes.yml@20:9:21:47 |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.comment.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 |
-| .github/workflows/expression_nodes.yml:20:14:21:46 | github.event.issue.body | .github/workflows/expression_nodes.yml:20:14:21:46 | .github/workflows/expression_nodes.yml@20:14:21:46 |
-| .github/workflows/test.yml:8:7:10:4 | Job outputs node | .github/workflows/test.yml:8:7:10:4 | .github/workflows/test.yml@8:7:10:4 |
-| .github/workflows/test.yml:8:20:8:50 | steps.step.outputs.value | .github/workflows/test.yml:8:20:8:50 | .github/workflows/test.yml@8:20:8:50 |
-| .github/workflows/test.yml:11:9:15:6 | Uses Step | .github/workflows/test.yml:11:9:15:6 | .github/workflows/test.yml@11:9:15:6 |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | .github/workflows/test.yml:15:9:19:6 | .github/workflows/test.yml@15:9:19:6 |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | .github/workflows/test.yml:19:9:26:6 | .github/workflows/test.yml@19:9:26:6 |
-| .github/workflows/test.yml:23:20:23:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:23:20:23:64 | .github/workflows/test.yml@23:20:23:64 |
-| .github/workflows/test.yml:26:9:28:6 | Run Step: simplesink1 | .github/workflows/test.yml:26:9:28:6 | .github/workflows/test.yml@26:9:28:6 |
-| .github/workflows/test.yml:27:20:27:64 | steps.source.outputs.all_changed_files | .github/workflows/test.yml:27:20:27:64 | .github/workflows/test.yml@27:20:27:64 |
-| .github/workflows/test.yml:28:9:31:2 | Run Step: simplesink2 | .github/workflows/test.yml:28:9:31:2 | .github/workflows/test.yml@28:9:31:2 |
-| .github/workflows/test.yml:29:15:29:55 | github.event.pull_request.head.ref | .github/workflows/test.yml:29:15:29:55 | .github/workflows/test.yml@29:15:29:55 |
-| .github/workflows/test.yml:39:9:40:53 | Run Step: sink | .github/workflows/test.yml:39:9:40:53 | .github/workflows/test.yml@39:9:40:53 |
-| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output | .github/workflows/test.yml:40:20:40:53 | .github/workflows/test.yml@40:20:40:53 |
-scopes
-| .github/workflows/expression_nodes.yml:1:1:21:47 | on: issue_comment |
-| .github/workflows/test.yml:1:1:40:53 | on: push |
-sources
-| ahmadnassri/action-changed-files | * | output.files | PR changed files |
-| ahmadnassri/action-changed-files | * | output.json | PR changed files |
-| amannn/action-semantic-pull-request | * | output.error_message | PR title |
-| cypress-io/github-action | * | env.GH_BRANCH | PR branch |
-| dawidd6/action-download-artifact | * | output.artifacts | Artifact details |
-| dorny/paths-filter | * | output.changes | PR changed files |
-| franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | PR body |
-| franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | PR title |
-| jitterbit/get-changed-files | * | output.added | PR changed files |
-| jitterbit/get-changed-files | * | output.added_modified | PR changed files |
-| jitterbit/get-changed-files | * | output.all | PR changed files |
-| jitterbit/get-changed-files | * | output.deleted | PR changed files |
-| jitterbit/get-changed-files | * | output.modified | PR changed files |
-| jitterbit/get-changed-files | * | output.removed | PR changed files |
-| jitterbit/get-changed-files | * | output.renamed | PR changed files |
-| khan/pull-request-comment-trigger | * | output.comment_body | Comment body |
-| marocchino/on_artifact | * | output.* | Downloaded artifact |
-| octo-org/source-repo/.github/workflows/workflow.yml | * | output.workflow-output | Foo |
-| redhat-plumbers-in-action/download-artifact | * | output.* | Downloaded artifact |
-| tj-actions/branch-names | * | output.current_branch | PR current branch |
-| tj-actions/branch-names | * | output.head_ref_branch | PR head branch |
-| tj-actions/branch-names | * | output.ref_branch | Branch tirggering workflow run |
-| tj-actions/changed-files | * | output.added_files | PR changed files |
-| tj-actions/changed-files | * | output.all_changed_and_modified_files | PR changed files |
-| tj-actions/changed-files | * | output.all_changed_files | PR changed files |
-| tj-actions/changed-files | * | output.all_modified_files | PR changed files |
-| tj-actions/changed-files | * | output.all_old_new_renamed_files | PR changed files |
-| tj-actions/changed-files | * | output.changed_keys | PR changed files |
-| tj-actions/changed-files | * | output.copied_files | PR changed files |
-| tj-actions/changed-files | * | output.deleted_files | PR changed files |
-| tj-actions/changed-files | * | output.modified_files | PR changed files |
-| tj-actions/changed-files | * | output.modified_keys | PR changed files |
-| tj-actions/changed-files | * | output.other_changed_files | PR changed files |
-| tj-actions/changed-files | * | output.other_deleted_files | PR changed files |
-| tj-actions/changed-files | * | output.other_modified_files | PR changed files |
-| tj-actions/changed-files | * | output.renamed_files | PR changed files |
-| tj-actions/changed-files | * | output.type_changed_files | PR changed files |
-| tj-actions/changed-files | * | output.unknown_files | PR changed files |
-| tj-actions/changed-files | * | output.unmerged_files | PR changed files |
-| tj-actions/verify-changed-files | * | output.changed-files | PR changed files |
-| trilom/file-changes-action | * | output.files | PR changed files |
-| trilom/file-changes-action | * | output.files_added | PR changed files |
-| trilom/file-changes-action | * | output.files_modified | PR changed files |
-| trilom/file-changes-action | * | output.files_removed | PR changed files |
-| tzkhan/pr-update-action | * | output.headMatch |  |
-| xt0rted/slash-command-action | * | output.command-arguments |  |
-summaries
-| akhileshns/heroku-deploy | * | input.branch | output.status | taint |
-| android-actions/setup-android | * | input.cmdline-tools-version | output.ANDROID_COMMANDLINE_TOOLS_VERSION | taint |
-| apple-actions/import-codesign-certs | * | input.keychain-password | output.keychain-password | taint |
-| ashley-taylor/read-json-property-action | * | input.json | output.value | taint |
-| ashley-taylor/regex-property-action | * | input.replacement | output.value | taint |
-| ashley-taylor/regex-property-action | * | input.value | output.value | taint |
-| aszc/change-string-case-action | * | input.replace-with | output.lowercase | taint |
-| aszc/change-string-case-action | * | input.replace-with | output.uppercase | taint |
-| aszc/change-string-case-action | * | input.string | output.capitalized | taint |
-| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | env.AWS_ACCESS_KEY_ID | taint |
-| aws-actions/configure-aws-credentials | * | input.aws-access-key-id | secret.AWS_ACCESS_KEY_ID | taint |
-| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | env.AWS_SECRET_ACCESS_KEY | taint |
-| aws-actions/configure-aws-credentials | * | input.aws-secret-access-key | secret.AWS_SECRET_ACCESS_KEY | taint |
-| aws-actions/configure-aws-credentials | * | input.aws-session-token | env.AWS_SESSION_TOKEN | taint |
-| aws-actions/configure-aws-credentials | * | input.aws-session-token | secret.AWS_SESSION_TOKEN | taint |
-| bobheadxi/deployments | * | input.env | output.env | taint |
-| bufbuild/buf-breaking-action | * | input.buf_token | env.BUF_TOKEN | taint |
-| bufbuild/buf-lint-action | * | input.buf_token | env.BUF_TOKEN | taint |
-| cachix/cachix-action | * | input.signingKey | env.CACHIX_SIGNING_KEY | taint |
-| coursier/cache-action | * | input.path | env.COURSIER_CACHE | taint |
-| crazy-max/ghaction-import-gpg | * | input.fingerprint | output.fingerprint | taint |
-| csexton/release-asset-action | * | input.release-url | output.url | taint |
-| delaguardo/setup-clojure | * | input.boot | env.BOOT_VERSION | taint |
-| frabert/replace-string-action | * | input.replace-with | output.replaced | taint |
-| frabert/replace-string-action | * | input.string | output.replaced | taint |
-| game-ci/unity-test-runner | * | input.artifactsPath | output.artifactsPath | taint |
-| getsentry/action-release | * | input.version | output.version | taint |
-| getsentry/action-release | * | input.version_prefix | output.version | taint |
-| github/codeql-action | * | input.output | output.sarif-output | taint |
-| gradle/gradle-build-action | * | input.build-scan-terms-of-service-agree | env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE | taint |
-| gradle/gradle-build-action | * | input.build-scan-terms-of-service-url | env.BUILD_SCAN_TERMS_OF_SERVICE_URL | taint |
-| gradle/gradle-build-action | * | input.cache-encryption-key | env.GRADLE_ENCRYPTION_KEY | taint |
-| haya14busa/action-cond | * | input.if_false | output.value | taint |
-| haya14busa/action-cond | * | input.if_true | output.value | taint |
-| hexlet/project-action | * | input.mount-path | env.PWD | taint |
-| jsdaniell/create-json | * | input.dir | output.successfully | taint |
-| jsdaniell/create-json | * | input.json | output.successfully | taint |
-| jsdaniell/create-json | * | input.name | output.successfully | taint |
-| jwalton/gh-ecr-push | * | input.image | output.imageUrl | taint |
-| larsoner/circleci-artifacts-redirector-action | * | input.artifact-path | output.url | taint |
-| mad9000/actions-find-and-replace-string | * | input.replace | output.value | taint |
-| mad9000/actions-find-and-replace-string | * | input.source | output.value | taint |
-| mattdavis0351/actions | * | input.image-name | output.imageUrl | taint |
-| mattdavis0351/actions | * | input.tag | output.imageUrl | taint |
-| metro-digital/setup-tools-for-waas | * | input.gcp_sa_key | env.GCLOUD_PROJECT | taint |
-| mishakav/pytest-coverage-comment | * | input.multiple-files | output.summaryReport | taint |
-| mymindstorm/setup-emsdk | * | input.actions-cache-folder | env.EMSDK | taint |
-| octo-org/summary-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint |
-| octo-org/this-repo/.github/workflows/workflow.yml | * | input.config-path | output.workflow-output | taint |
-| ruby/setup-ruby | * | input.ruby-version | output.ruby-prefix | taint |
-| salsify/action-detect-and-tag-new-version | * | input.tag-template | output.tag | taint |
-| shallwefootball/upload-s3-action | * | input.destination_dir | output.object_key | taint |
-| shogo82148/actions-setup-perl | * | input.working-directory | env.PERL5LIB | taint |
-| suisei-cn/actions-download-file | * | input.filename | output.filename | taint |
-| timheuer/base64-to-file | * | input.fileDir | output.filePath | taint |
-| timheuer/base64-to-file | * | input.fileName | output.filePath | taint |
-calls
-| .github/workflows/test.yml:11:9:15:6 | Uses Step | actions/checkout |
-| .github/workflows/test.yml:15:9:19:6 | Uses Step: source | tj-actions/changed-files |
-| .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string |
-needs
-| .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
-testNormalizeExpr
-| foo['bar'] == baz | foo.bar == baz |
-| github.event.pull_request.user["login"] | github.event.pull_request.user.login |
-| github.event.pull_request.user['login'] | github.event.pull_request.user.login |
-| github.event.pull_request['user']['login'] | github.event.pull_request.user.login |
-writeToGitHubEnv
-| id1 | $(<pr-id1.txt) |
-| id2 | $(<pr-id2.txt) |
-| id3 | $(<pr-id3.txt) |
-| sha1 | $(<test-results1/sha-number) |
-| sha2 | $(<test-results2/sha-number) |
-| sha3 | $(<test-results3/sha-number) |
-writeToGitHubOutput
-| id1 | $(<pr-id1.txt) |
-| id2 | $(<pr-id2.txt) |
-| id3 | $(<pr-id3.txt) |
-| sha1 | $(<test-results1/sha-number) |
-| sha2 | $(<test-results2/sha-number) |
-| sha3 | $(<test-results3/sha-number) |
-| sha4 | $(<test-results4/sha-number) |
-| sha5 | $(<test-results5/sha-number) |
-| sha6 | $(<test-results6/sha-number) |
+ERROR: Could not resolve predicate extractLineAssignment/4 (test.ql:85,5-33)
+ERROR: Could not resolve predicate extractLineAssignment/4 (test.ql:103,5-33)
--- a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected
+++ b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoning.expected
@@ -1,12 +1,40 @@
-| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |
-| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | Potential artifact poisoning. |
+edges
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
+nodes
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | semmle.label | Run Step |
+subpaths
+#select
--- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected
+++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.expected
@@ -0,0 +1,52 @@
+edges
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
+nodes
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | semmle.label | Run Step |
+| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | semmle.label | Run Step |
+subpaths
+#select
+| .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning12.yml:36:9:38:62 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning21.yml:18:9:20:20 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning22.yml:17:9:18:19 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning52.yml:18:9:23:40 | Run Step | Run Step |
+| .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | Potential privileged artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step | Run Step |
--- a/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref
+++ b/ql/test/query-tests/Security/CWE-829/PrivilegedArtifactPoisoning.qlref
@@ -0,0 +1,2 @@
+Security/CWE-829/PrivilegedArtifactPoisoning.ql
+
				`@@ -0,0 +1,2 @@`
				`Security/CWE-829/PrivilegedArtifactPoisoning.ql`