diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index da54833e9a6..8d965c3e4c7 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,7 +1,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Helper -private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.config.Config /** * Gets the length of each line in the StringValue . diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll new file mode 100644 index 00000000000..d6a85c426c6 --- /dev/null +++ b/ql/lib/codeql/actions/config/Config.qll @@ -0,0 +1,74 @@ +import ConfigExtensions as Extensions + +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ +predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +) { + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { + Extensions::repositoryDataModel(visibility, default_branch_name) +} + +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + +/** + * MaD models for poisonable commands + * Fields: + * - regexp: Regular expression for matching poisonable commands + */ +predicate poisonableCommandsDataModel(string regexp) { + Extensions::poisonableCommandsDataModel(regexp) +} + +/** + * MaD models for poisonable local scripts + * Fields: + * - regexp: Regular expression for matching poisonable local scripts + * - group: Script capture group number for the regular expression + */ +predicate poisonableLocalScriptsDataModel(string regexp, int group) { + Extensions::poisonableLocalScriptsDataModel(regexp, group) +} + +/** + * MaD models for poisonable actions + * Fields: + * - action: action name + */ +predicate poisonableActionsDataModel(string action) { + Extensions::poisonableActionsDataModel(action) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll new file mode 100644 index 00000000000..3ca4b6a7559 --- /dev/null +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -0,0 +1,41 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if workflow data model exists for the given parameters. + */ +extensible predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +); + +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if a context expression starting with context_prefix is available for a given trigger. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); + +/** + * Holds for strings that match poisonable commands. + */ +extensible predicate poisonableCommandsDataModel(string regexp); + +/** + * Holds for strings that match poisonable local scripts. + */ +extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); + +/** + * Holds for actions that can be poisoned through local files. + */ +extensible predicate poisonableActionsDataModel(string action); + diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index d0b84f918d5..2cb8c56b147 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,51 +2,6 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions -/** - * MaD models for workflow details - * Fields: - * - path: Path to the workflow file - * - trigger: Trigger for the workflow - * - job: Job name - * - secrets_source: Source of secrets - * - permissions: Permissions for the workflow - * - runner: Runner info for the workflow - */ -predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -) { - Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) -} - -/** - * MaD models for repository details - * Fields: - * - visibility: Visibility of the repository - * - default_branch_name: Default branch name - */ -predicate repositoryDataModel(string visibility, string default_branch_name) { - Extensions::repositoryDataModel(visibility, default_branch_name) -} - -/** - * MaD models for context/trigger mapping - * Fields: - * - trigger: Trigger for the workflow - * - context_prefix: Prefix for the context - */ -predicate contextTriggerDataModel(string trigger, string context_prefix) { - Extensions::contextTriggerDataModel(trigger, context_prefix) -} - -/** - * MaD models for externally triggerable events - * Fields: - * - event: Event name - */ -predicate externallyTriggerableEventsDataModel(string event) { - Extensions::externallyTriggerableEventsDataModel(event) -} - /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 7217796d138..b09664359ab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,6 @@ -private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.config.Config +private import codeql.actions.dataflow.ExternalFlow /** * A data flow source. diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 05f71cfc0be..bd9d73b4170 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -22,25 +22,3 @@ extensible predicate actionsSummaryModel( extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); - -/** - * Holds if workflow data model exists for the given parameters. - */ -extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -); - -/** - * Holds if repository data model exists for the given parameters. - */ -extensible predicate repositoryDataModel(string visibility, string default_branch_name); - -/** - * Holds if a context expression starting with context_prefix is available for a given trigger. - */ -extensible predicate contextTriggerDataModel(string trigger, string context_prefix); - -/** - * Holds if a given trigger event can be fired by an external actor. - */ -extensible predicate externallyTriggerableEventsDataModel(string event); diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 44c3c64a5a6..d2853591d61 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -254,8 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node { poisonable.(UsesStep) = this.asExpr() ) and ( - not poisonable instanceof LocalCommandExecutionRunStep or - poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%") + not poisonable instanceof LocalScriptExecutionRunStep or + poisonable.(LocalScriptExecutionRunStep).getCommand().matches(download.getPath() + "%") ) ) } diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index e80ea71c958..1a3e7b2b2f7 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config string defaultBranchTriggerEvent() { result = diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index b1d5269d44a..d9978b2a423 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -1,67 +1,35 @@ import actions +import codeql.actions.config.Config abstract class PoisonableStep extends Step { } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { - result = - [ - "pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", - "ruby/setup-ruby", "actions/jekyll-build-pages" - ] + exists(string action | + poisonableActionsDataModel(action) and + result = action + ) } class DangerousActionUsesStep extends PoisonableStep, UsesStep { DangerousActionUsesStep() { this.getCallee() = dangerousActions() } } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 -private string dangerousCommands() { - result = - [ - "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", - "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", - "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", - "poetry run", "cargo " - ] -} - -class BuildRunStep extends PoisonableStep, Run { - BuildRunStep() { - exists( - this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) +class PoisonableCommandStep extends PoisonableStep, Run { + PoisonableCommandStep() { + exists(string regexp | + poisonableCommandsDataModel(regexp) and + exists(this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + regexp, _, _)) ) } } -bindingset[cmdRegexp] -string wrapLocalCmd(string cmdRegexp) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" } - -class LocalCommandExecutionRunStep extends PoisonableStep, Run { +class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; - LocalCommandExecutionRunStep() { - // Heuristic: - exists(string line | line = this.getScript().splitAt("\n").trim() | - // ./xxxx - // TODO: It could also be in the form of `dir/cmd` - cmd = line.regexpCapture(wrapLocalCmd("\\.\\/(.*)"), 2) - or - // sh xxxx - cmd = line.regexpCapture(wrapLocalCmd("(ba|z|fi)?sh\\s+(.*)"), 3) - or - // node xxxx.js - cmd = line.regexpCapture(wrapLocalCmd("node\\s+(.*)(\\.js|\\.ts)"), 2) - or - // python xxxx.py - cmd = line.regexpCapture(wrapLocalCmd("python\\s+(.*)\\.py"), 2) - or - // ruby xxxx.rb - cmd = line.regexpCapture(wrapLocalCmd("ruby\\s+(.*)\\.rb"), 2) - or - // go xxxx.go - cmd = line.regexpCapture(wrapLocalCmd("go\\s+(.*)\\.go"), 2) + LocalScriptExecutionRunStep() { + exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | + poisonableLocalScriptsDataModel(regexp, group) and + cmd = line.regexpCapture(regexp, group) ) } diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 03b6c87405e..419b2ac81a9 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config bindingset[runner] predicate isGithubHostedRunner(string runner) { diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/config/context_event_map.yml similarity index 78% rename from ql/lib/ext/workflow-models/workflow-models.yml rename to ql/lib/ext/config/context_event_map.yml index 1f0401e8e61..e09dab14f2b 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -1,12 +1,4 @@ extensions: - - addsTo: - pack: github/actions-all - extensible: repositoryDataModel - data: [] - - addsTo: - pack: github/actions-all - extensible: workflowDataModel - data: [] - addsTo: pack: github/actions-all extensible: contextTriggerDataModel @@ -54,19 +46,4 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] - - addsTo: - pack: github/actions-all - extensible: externallyTriggerableEventsDataModel - data: - - ["discussion"] - - ["discussion_comment"] - - ["fork"] - - ["issue_comment"] - - ["issues"] - - ["pull_request"] - - ["pull_request_comment"] - - ["pull_request_review"] - - ["pull_request_review_comment"] - - ["pull_request_target"] - - ["workflow_run"] # depending on trigger workflow - - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml new file mode 100644 index 00000000000..88d17c728b7 --- /dev/null +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["issue_comment"] + - ["issues"] + - ["pull_request"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on trigger workflow + - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml new file mode 100644 index 00000000000..9a9af08872c --- /dev/null +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -0,0 +1,55 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: poisonableActionsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["pre-commit/action"] + - ["oxsecurity/megalinter"] + - ["bridgecrewio/checkov-action"] + - ["ruby/setup-ruby"] + - ["actions/jekyll-build-pages"] + - addsTo: + pack: github/actions-all + extensible: poisonableCommandsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["ant "] + - ["bundle install"] + - ["bundle exec "] + - ["cargo "] + - ["go generate"] + - ["gomplate "] + - ["gradle "] + - ["java -jar "] + - ["make "] + - ["mkdocs build"] + - ["msbuild "] + - ["mvn "] + - ["npm i(nstall)?(\\b|$)"] + - ["npm run "] + - ["npm ci(\\b|$)"] + - ["pip install -r "] + - ["pip install --requirement"] + - ["poetry install"] + - ["poetry run"] + - ["pre-commit run"] + - ["pre-commit install"] + - ["pytest"] + - ["terraform plan"] + - ["terraform apply"] + - ["yarn "] + - addsTo: + pack: github/actions-all + extensible: poisonableLocalScriptsDataModel + data: + # TODO: It could also be in the form of `dir/cmd` + - ["(^|;\\s*|\\s+)(\\.\\/)(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(python)\\s+(.*)\\.py(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/ql/lib/ext/config/workflow_runtime_data.yml new file mode 100644 index 00000000000..88e266d8142 --- /dev/null +++ b/ql/lib/ext/config/workflow_runtime_data.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: repositoryDataModel + data: [] + - addsTo: + pack: github/actions-all + extensible: workflowDataModel + data: [] diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/manual/8398a7_action-slack.model.yml similarity index 100% rename from ql/lib/ext/8398a7_action-slack.model.yml rename to ql/lib/ext/manual/8398a7_action-slack.model.yml diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml similarity index 100% rename from ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml rename to ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/manual/actions_github-script.model.yml similarity index 100% rename from ql/lib/ext/actions_github-script.model.yml rename to ql/lib/ext/manual/actions_github-script.model.yml diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/ahmadnassri_action-changed-files.model.yml rename to ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml similarity index 100% rename from ql/lib/ext/akhileshns_heroku-deploy.model.yml rename to ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml similarity index 100% rename from ql/lib/ext/amannn_action-semantic-pull-request.model.yml rename to ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/manual/anchore_sbom-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_sbom-action.model.yml rename to ql/lib/ext/manual/anchore_sbom-action.model.yml diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/manual/anchore_scan-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_scan-action.model.yml rename to ql/lib/ext/manual/anchore_scan-action.model.yml diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml similarity index 100% rename from ql/lib/ext/andresz1_size-limit-action.model.yml rename to ql/lib/ext/manual/andresz1_size-limit-action.model.yml diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/manual/android-actions_setup-android.model.yml similarity index 100% rename from ql/lib/ext/android-actions_setup-android.model.yml rename to ql/lib/ext/manual/android-actions_setup-android.model.yml diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml similarity index 100% rename from ql/lib/ext/apple-actions_import-codesign-certs.model.yml rename to ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/manual/asdf-vm_actions.model.yml similarity index 100% rename from ql/lib/ext/asdf-vm_actions.model.yml rename to ql/lib/ext/manual/asdf-vm_actions.model.yml diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_read-json-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_regex-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml similarity index 100% rename from ql/lib/ext/aszc_change-string-case-action.model.yml rename to ql/lib/ext/manual/aszc_change-string-case-action.model.yml diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml similarity index 100% rename from ql/lib/ext/aws-actions_configure-aws-credentials.model.yml rename to ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml similarity index 100% rename from ql/lib/ext/axel-op_googlejavaformat-action.model.yml rename to ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml similarity index 100% rename from ql/lib/ext/azure_powershell.model.yml rename to ql/lib/ext/manual/azure_powershell.model.yml diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/manual/bahmutov_npm-install.model.yml similarity index 100% rename from ql/lib/ext/bahmutov_npm-install.model.yml rename to ql/lib/ext/manual/bahmutov_npm-install.model.yml diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml similarity index 100% rename from ql/lib/ext/blackducksoftware_github-action.model.yml rename to ql/lib/ext/manual/blackducksoftware_github-action.model.yml diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/manual/bobheadxi_deployments.model.yml similarity index 100% rename from ql/lib/ext/bobheadxi_deployments.model.yml rename to ql/lib/ext/manual/bobheadxi_deployments.model.yml diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-breaking-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-lint-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-setup-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/manual/cachix_cachix-action.model.yml similarity index 100% rename from ql/lib/ext/cachix_cachix-action.model.yml rename to ql/lib/ext/manual/cachix_cachix-action.model.yml diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/manual/changesets_action.model.yml similarity index 100% rename from ql/lib/ext/changesets_action.model.yml rename to ql/lib/ext/manual/changesets_action.model.yml diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml similarity index 100% rename from ql/lib/ext/cloudflare_wrangler-action.model.yml rename to ql/lib/ext/manual/cloudflare_wrangler-action.model.yml diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/manual/coursier_cache-action.model.yml similarity index 100% rename from ql/lib/ext/coursier_cache-action.model.yml rename to ql/lib/ext/manual/coursier_cache-action.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/manual/csexton_release-asset-action.model.yml similarity index 100% rename from ql/lib/ext/csexton_release-asset-action.model.yml rename to ql/lib/ext/manual/csexton_release-asset-action.model.yml diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml similarity index 100% rename from ql/lib/ext/cycjimmy_semantic-release-action.model.yml rename to ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/manual/cypress-io_github-action.model.yml similarity index 100% rename from ql/lib/ext/cypress-io_github-action.model.yml rename to ql/lib/ext/manual/cypress-io_github-action.model.yml diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml similarity index 100% rename from ql/lib/ext/dailydotdev_action-devcard.model.yml rename to ql/lib/ext/manual/dailydotdev_action-devcard.model.yml diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml similarity index 100% rename from ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml rename to ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml similarity index 100% rename from ql/lib/ext/daspn_private-actions-checkout.model.yml rename to ql/lib/ext/manual/daspn_private-actions-checkout.model.yml diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-ansible-playbook.model.yml rename to ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-download-artifact.model.yml rename to ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml similarity index 100% rename from ql/lib/ext/delaguardo_setup-clojure.model.yml rename to ql/lib/ext/manual/delaguardo_setup-clojure.model.yml diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml similarity index 100% rename from ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml rename to ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml similarity index 100% rename from ql/lib/ext/docker-practice_actions-setup-docker.model.yml rename to ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/manual/docker_build-push-action.model.yml similarity index 100% rename from ql/lib/ext/docker_build-push-action.model.yml rename to ql/lib/ext/manual/docker_build-push-action.model.yml diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/manual/endbug_latest-tag.model.yml similarity index 100% rename from ql/lib/ext/endbug_latest-tag.model.yml rename to ql/lib/ext/manual/endbug_latest-tag.model.yml diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/manual/expo_expo-github-action.model.yml similarity index 100% rename from ql/lib/ext/expo_expo-github-action.model.yml rename to ql/lib/ext/manual/expo_expo-github-action.model.yml diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml similarity index 100% rename from ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml rename to ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/manual/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/frabert_replace-string-action.model.yml rename to ql/lib/ext/manual/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml similarity index 100% rename from ql/lib/ext/franzdiebold_github-env-vars-action.model.yml rename to ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml similarity index 100% rename from ql/lib/ext/gabrielbb_xvfb-action.model.yml rename to ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/manual/game-ci_unity-builder.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-builder.model.yml rename to ql/lib/ext/manual/game-ci_unity-builder.model.yml diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-test-runner.model.yml rename to ql/lib/ext/manual/game-ci_unity-test-runner.model.yml diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml similarity index 100% rename from ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml rename to ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/manual/getsentry_action-release.model.yml similarity index 100% rename from ql/lib/ext/getsentry_action-release.model.yml rename to ql/lib/ext/manual/getsentry_action-release.model.yml diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/manual/github_codeql-action.model.yml similarity index 100% rename from ql/lib/ext/github_codeql-action.model.yml rename to ql/lib/ext/manual/github_codeql-action.model.yml diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/manual/go-semantic-release_action.model.yml similarity index 100% rename from ql/lib/ext/go-semantic-release_action.model.yml rename to ql/lib/ext/manual/go-semantic-release_action.model.yml diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml similarity index 100% rename from ql/lib/ext/golangci_golangci-lint-action.model.yml rename to ql/lib/ext/manual/golangci_golangci-lint-action.model.yml diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml similarity index 100% rename from ql/lib/ext/gonuit_heroku-docker-deploy.model.yml rename to ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml similarity index 100% rename from ql/lib/ext/goreleaser_goreleaser-action.model.yml rename to ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml similarity index 100% rename from ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml rename to ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml similarity index 100% rename from ql/lib/ext/gradle_gradle-build-action.model.yml rename to ql/lib/ext/manual/gradle_gradle-build-action.model.yml diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/manual/haya14busa_action-cond.model.yml similarity index 100% rename from ql/lib/ext/haya14busa_action-cond.model.yml rename to ql/lib/ext/manual/haya14busa_action-cond.model.yml diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/manual/hexlet_project-action.model.yml similarity index 100% rename from ql/lib/ext/hexlet_project-action.model.yml rename to ql/lib/ext/manual/hexlet_project-action.model.yml diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml similarity index 100% rename from ql/lib/ext/ilammy_msvc-dev-cmd.model.yml rename to ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml similarity index 100% rename from ql/lib/ext/ilammy_setup-nasm.model.yml rename to ql/lib/ext/manual/ilammy_setup-nasm.model.yml diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml similarity index 100% rename from ql/lib/ext/imjohnbo_issue-bot.model.yml rename to ql/lib/ext/manual/imjohnbo_issue-bot.model.yml diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/manual/iterative_setup-cml.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-cml.model.yml rename to ql/lib/ext/manual/iterative_setup-cml.model.yml diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/manual/iterative_setup-dvc.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-dvc.model.yml rename to ql/lib/ext/manual/iterative_setup-dvc.model.yml diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml similarity index 100% rename from ql/lib/ext/jamesives_github-pages-deploy-action.model.yml rename to ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/jitterbit_get-changed-files.model.yml rename to ql/lib/ext/manual/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml similarity index 100% rename from ql/lib/ext/johnnymorganz_stylua-action.model.yml rename to ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/manual/jsdaniell_create-json.model.yml similarity index 100% rename from ql/lib/ext/jsdaniell_create-json.model.yml rename to ql/lib/ext/manual/jsdaniell_create-json.model.yml diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml similarity index 100% rename from ql/lib/ext/jurplel_install-qt-action.model.yml rename to ql/lib/ext/manual/jurplel_install-qt-action.model.yml diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml similarity index 100% rename from ql/lib/ext/jwalton_gh-ecr-push.model.yml rename to ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml similarity index 100% rename from ql/lib/ext/khan_pull-request-comment-trigger.model.yml rename to ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml similarity index 100% rename from ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml rename to ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-lua.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-lua.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-luarocks.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml similarity index 100% rename from ql/lib/ext/lucasbento_auto-close-issues.model.yml rename to ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml similarity index 100% rename from ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml rename to ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/manual/magefile_mage-action.model.yml similarity index 100% rename from ql/lib/ext/magefile_mage-action.model.yml rename to ql/lib/ext/manual/magefile_mage-action.model.yml diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/manual/maierj_fastlane-action.model.yml similarity index 100% rename from ql/lib/ext/maierj_fastlane-action.model.yml rename to ql/lib/ext/manual/maierj_fastlane-action.model.yml diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml similarity index 100% rename from ql/lib/ext/manusa_actions-setup-minikube.model.yml rename to ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/manual/marocchino_on_artifact.model.yml similarity index 100% rename from ql/lib/ext/marocchino_on_artifact.model.yml rename to ql/lib/ext/manual/marocchino_on_artifact.model.yml diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/manual/mattdavis0351_actions.model.yml similarity index 100% rename from ql/lib/ext/mattdavis0351_actions.model.yml rename to ql/lib/ext/manual/mattdavis0351_actions.model.yml diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml similarity index 100% rename from ql/lib/ext/meteorengineer_setup-meteor.model.yml rename to ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml similarity index 100% rename from ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml rename to ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml similarity index 100% rename from ql/lib/ext/microsoft_setup-msbuild.model.yml rename to ql/lib/ext/manual/microsoft_setup-msbuild.model.yml diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml similarity index 100% rename from ql/lib/ext/mishakav_pytest-coverage-comment.model.yml rename to ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml similarity index 100% rename from ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml rename to ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/manual/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/msys2_setup-msys2.model.yml rename to ql/lib/ext/manual/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml similarity index 100% rename from ql/lib/ext/mxschmitt_action-tmate.model.yml rename to ql/lib/ext/manual/mxschmitt_action-tmate.model.yml diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml similarity index 100% rename from ql/lib/ext/mymindstorm_setup-emsdk.model.yml rename to ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-chromedriver.model.yml rename to ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/manual/nanasess_setup-php.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-php.model.yml rename to ql/lib/ext/manual/nanasess_setup-php.model.yml diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/manual/nick-fields_retry.model.yml similarity index 100% rename from ql/lib/ext/nick-fields_retry.model.yml rename to ql/lib/ext/manual/nick-fields_retry.model.yml diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/manual/octokit_graphql-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_graphql-action.model.yml rename to ql/lib/ext/manual/octokit_graphql-action.model.yml diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/manual/octokit_request-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_request-action.model.yml rename to ql/lib/ext/manual/octokit_request-action.model.yml diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml similarity index 100% rename from ql/lib/ext/olafurpg_setup-scala.model.yml rename to ql/lib/ext/manual/olafurpg_setup-scala.model.yml diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml similarity index 100% rename from ql/lib/ext/paambaati_codeclimate-action.model.yml rename to ql/lib/ext/manual/paambaati_codeclimate-action.model.yml diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml similarity index 100% rename from ql/lib/ext/peter-evans_create-pull-request.model.yml rename to ql/lib/ext/manual/peter-evans_create-pull-request.model.yml diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml similarity index 100% rename from ql/lib/ext/peter-murray_issue-body-parser-action.model.yml rename to ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml similarity index 100% rename from ql/lib/ext/plasmicapp_plasmic-action.model.yml rename to ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml similarity index 100% rename from ql/lib/ext/preactjs_compressed-size-action.model.yml rename to ql/lib/ext/manual/preactjs_compressed-size-action.model.yml diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/manual/py-actions_flake8.model.yml similarity index 100% rename from ql/lib/ext/py-actions_flake8.model.yml rename to ql/lib/ext/manual/py-actions_flake8.model.yml diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml similarity index 100% rename from ql/lib/ext/py-actions_py-dependency-install.model.yml rename to ql/lib/ext/manual/py-actions_py-dependency-install.model.yml diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/manual/pyo3_maturin-action.model.yml similarity index 100% rename from ql/lib/ext/pyo3_maturin-action.model.yml rename to ql/lib/ext/manual/pyo3_maturin-action.model.yml diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml similarity index 100% rename from ql/lib/ext/reactivecircus_android-emulator-runner.model.yml rename to ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml similarity index 100% rename from ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml rename to ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml similarity index 100% rename from ql/lib/ext/reggionick_s3-deploy.model.yml rename to ql/lib/ext/manual/reggionick_s3-deploy.model.yml diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/manual/renovatebot_github-action.model.yml similarity index 100% rename from ql/lib/ext/renovatebot_github-action.model.yml rename to ql/lib/ext/manual/renovatebot_github-action.model.yml diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/manual/roots_issue-closer-action.model.yml similarity index 100% rename from ql/lib/ext/roots_issue-closer-action.model.yml rename to ql/lib/ext/manual/roots_issue-closer-action.model.yml diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml similarity index 100% rename from ql/lib/ext/ros-tooling_setup-ros.model.yml rename to ql/lib/ext/manual/ros-tooling_setup-ros.model.yml diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/manual/ruby_setup-ruby.model.yml similarity index 100% rename from ql/lib/ext/ruby_setup-ruby.model.yml rename to ql/lib/ext/manual/ruby_setup-ruby.model.yml diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml similarity index 100% rename from ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml rename to ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/manual/sergeysova_jq-action.model.yml similarity index 100% rename from ql/lib/ext/sergeysova_jq-action.model.yml rename to ql/lib/ext/manual/sergeysova_jq-action.model.yml diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml similarity index 100% rename from ql/lib/ext/shallwefootball_upload-s3-action.model.yml rename to ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml similarity index 100% rename from ql/lib/ext/shogo82148_actions-setup-perl.model.yml rename to ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml similarity index 100% rename from ql/lib/ext/skitionek_notify-microsoft-teams.model.yml rename to ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/manual/snow-actions_eclint.model.yml similarity index 100% rename from ql/lib/ext/snow-actions_eclint.model.yml rename to ql/lib/ext/manual/snow-actions_eclint.model.yml diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml similarity index 100% rename from ql/lib/ext/stackhawk_hawkscan-action.model.yml rename to ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/manual/step-security_harden-runner.model.yml similarity index 100% rename from ql/lib/ext/step-security_harden-runner.model.yml rename to ql/lib/ext/manual/step-security_harden-runner.model.yml diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml similarity index 100% rename from ql/lib/ext/suisei-cn_actions-download-file.model.yml rename to ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/manual/tibdex_backport.model.yml similarity index 100% rename from ql/lib/ext/tibdex_backport.model.yml rename to ql/lib/ext/manual/tibdex_backport.model.yml diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml similarity index 100% rename from ql/lib/ext/timheuer_base64-to-file.model.yml rename to ql/lib/ext/manual/timheuer_base64-to-file.model.yml diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml similarity index 100% rename from ql/lib/ext/tj-actions_branch-names.model.yml rename to ql/lib/ext/manual/tj-actions_branch-names.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/manual/trilom_file-changes-action.model.yml similarity index 100% rename from ql/lib/ext/trilom_file-changes-action.model.yml rename to ql/lib/ext/manual/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml similarity index 100% rename from ql/lib/ext/tripss_conventional-changelog-action.model.yml rename to ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml similarity index 100% rename from ql/lib/ext/tryghost_action-deploy-theme.model.yml rename to ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml similarity index 100% rename from ql/lib/ext/tzkhan_pr-update-action.model.yml rename to ql/lib/ext/manual/tzkhan_pr-update-action.model.yml diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/manual/veracode_veracode-sca.model.yml similarity index 100% rename from ql/lib/ext/veracode_veracode-sca.model.yml rename to ql/lib/ext/manual/veracode_veracode-sca.model.yml diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/manual/wearerequired_lint-action.model.yml similarity index 100% rename from ql/lib/ext/wearerequired_lint-action.model.yml rename to ql/lib/ext/manual/wearerequired_lint-action.model.yml diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml similarity index 100% rename from ql/lib/ext/webfactory_ssh-agent.model.yml rename to ql/lib/ext/manual/webfactory_ssh-agent.model.yml diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml similarity index 100% rename from ql/lib/ext/xt0rted_slash-command-action.model.yml rename to ql/lib/ext/manual/xt0rted_slash-command-action.model.yml diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-baseline.model.yml rename to ql/lib/ext/manual/zaproxy_action-baseline.model.yml diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-full-scan.model.yml rename to ql/lib/ext/manual/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index abc56e6a090..aece8aacc5f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -11,6 +11,6 @@ dependencies: extractor: javascript groups: javascript dataExtensions: - - ext/*.model.yml - - ext/**/*.model.yml - - ext/workflow-models/workflow-models.yml + - ext/manual/*.model.yml + - ext/generated/**/*.model.yml + - ext/config/*.yml diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index b3dc9185ec4..a4d4eb43bb2 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions +import codeql.actions.config.ConfigExtensions as Extensions from string path, string trigger, string job, string secrets_source, string permissions,