From fc8173239e1ba10b9ed2e4f3b5dee76e3854b0cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 25 Jun 2024 09:47:43 +0200 Subject: [PATCH] Move configuration to MaD files --- ql/lib/codeql/actions/ast/internal/Ast.qll | 2 +- ql/lib/codeql/actions/config/Config.qll | 74 +++++++++++++++++++ .../actions/config/ConfigExtensions.qll | 41 ++++++++++ .../codeql/actions/dataflow/ExternalFlow.qll | 45 ----------- .../codeql/actions/dataflow/FlowSources.qll | 3 +- .../internal/ExternalFlowExtensions.qll | 22 ------ .../security/ArtifactPoisoningQuery.qll | 4 +- .../actions/security/CachePoisoningQuery.qll | 2 +- .../actions/security/PoisonableSteps.qll | 62 ++++------------ .../actions/security/SelfHostedQuery.qll | 2 +- .../context_event_map.yml} | 25 +------ .../config/externally_triggereable_events.yml | 18 +++++ ql/lib/ext/config/poisonable_steps.yml | 55 ++++++++++++++ ql/lib/ext/config/workflow_runtime_data.yml | 9 +++ .../8398a7_action-slack.model.yml | 0 ...rSource_sonarcloud-github-action.model.yml | 0 .../actions_github-script.model.yml | 0 ...ahmadnassri_action-changed-files.model.yml | 0 .../akhileshns_heroku-deploy.model.yml | 0 ...nnn_action-semantic-pull-request.model.yml | 0 .../anchore_sbom-action.model.yml | 0 .../anchore_scan-action.model.yml | 0 .../andresz1_size-limit-action.model.yml | 0 .../android-actions_setup-android.model.yml | 0 ...le-actions_import-codesign-certs.model.yml | 0 .../{ => manual}/asdf-vm_actions.model.yml | 0 ...taylor_read-json-property-action.model.yml | 0 ...ley-taylor_regex-property-action.model.yml | 0 .../aszc_change-string-case-action.model.yml | 0 ...ctions_configure-aws-credentials.model.yml | 0 .../axel-op_googlejavaformat-action.model.yml | 0 .../{ => manual}/azure_powershell.model.yml | 0 .../bahmutov_npm-install.model.yml | 0 .../blackducksoftware_github-action.model.yml | 0 .../bobheadxi_deployments.model.yml | 0 .../bufbuild_buf-breaking-action.model.yml | 0 .../bufbuild_buf-lint-action.model.yml | 0 .../bufbuild_buf-setup-action.model.yml | 0 .../cachix_cachix-action.model.yml | 0 .../{ => manual}/changesets_action.model.yml | 0 .../cloudflare_wrangler-action.model.yml | 0 .../coursier_cache-action.model.yml | 0 .../crazy-max_ghaction-chocolatey.model.yml | 0 .../crazy-max_ghaction-import-gpg.model.yml | 0 .../csexton_release-asset-action.model.yml | 0 ...cycjimmy_semantic-release-action.model.yml | 0 .../cypress-io_github-action.model.yml | 0 .../dailydotdev_action-devcard.model.yml | 0 ...me_reportgenerator-github-action.model.yml | 0 .../daspn_private-actions-checkout.model.yml | 0 .../dawidd6_action-ansible-playbook.model.yml | 0 ...dawidd6_action-download-artifact.model.yml | 0 .../delaguardo_setup-clojure.model.yml | 0 ...tesystems_magic-nix-cache-action.model.yml | 0 ...er-practice_actions-setup-docker.model.yml | 0 .../docker_build-push-action.model.yml | 0 .../{ => manual}/endbug_latest-tag.model.yml | 0 .../expo_expo-github-action.model.yml | 0 ...seextended_action-hosting-deploy.model.yml | 0 .../frabert_replace-string-action.model.yml | 0 ...nzdiebold_github-env-vars-action.model.yml | 0 .../gabrielbb_xvfb-action.model.yml | 0 .../game-ci_unity-builder.model.yml | 0 .../game-ci_unity-test-runner.model.yml | 0 ...autamkrishnar_blog-post-workflow.model.yml | 0 .../getsentry_action-release.model.yml | 0 .../github_codeql-action.model.yml | 0 .../go-semantic-release_action.model.yml | 0 .../golangci_golangci-lint-action.model.yml | 0 .../gonuit_heroku-docker-deploy.model.yml | 0 .../goreleaser_goreleaser-action.model.yml | 0 ...te-or-update-pull-request-action.model.yml | 0 .../gradle_gradle-build-action.model.yml | 0 .../haya14busa_action-cond.model.yml | 0 .../hexlet_project-action.model.yml | 0 .../ilammy_msvc-dev-cmd.model.yml | 0 .../{ => manual}/ilammy_setup-nasm.model.yml | 0 .../{ => manual}/imjohnbo_issue-bot.model.yml | 0 .../iterative_setup-cml.model.yml | 0 .../iterative_setup-dvc.model.yml | 0 ...sives_github-pages-deploy-action.model.yml | 0 .../jitterbit_get-changed-files.model.yml | 0 .../johnnymorganz_stylua-action.model.yml | 0 .../jsdaniell_create-json.model.yml | 0 .../jurplel_install-qt-action.model.yml | 0 .../jwalton_gh-ecr-push.model.yml | 0 ...han_pull-request-comment-trigger.model.yml | 0 ...leci-artifacts-redirector-action.model.yml | 0 .../leafo_gh-actions-lua.model.yml | 0 .../leafo_gh-actions-luarocks.model.yml | 0 .../lucasbento_auto-close-issues.model.yml | 0 ..._actions-find-and-replace-string.model.yml | 0 .../magefile_mage-action.model.yml | 0 .../maierj_fastlane-action.model.yml | 0 .../manusa_actions-setup-minikube.model.yml | 0 .../marocchino_on_artifact.model.yml | 0 .../mattdavis0351_actions.model.yml | 0 .../meteorengineer_setup-meteor.model.yml | 0 ...tro-digital_setup-tools-for-waas.model.yml | 0 .../microsoft_setup-msbuild.model.yml | 0 ...mishakav_pytest-coverage-comment.model.yml | 0 ...hers-excellent_docker-build-push.model.yml | 0 .../{ => manual}/msys2_setup-msys2.model.yml | 0 .../mxschmitt_action-tmate.model.yml | 0 .../mymindstorm_setup-emsdk.model.yml | 0 .../nanasess_setup-chromedriver.model.yml | 0 .../{ => manual}/nanasess_setup-php.model.yml | 0 .../{ => manual}/nick-fields_retry.model.yml | 0 .../octokit_graphql-action.model.yml | 0 .../octokit_request-action.model.yml | 0 .../olafurpg_setup-scala.model.yml | 0 .../paambaati_codeclimate-action.model.yml | 0 .../peter-evans_create-pull-request.model.yml | 0 ...-murray_issue-body-parser-action.model.yml | 0 .../plasmicapp_plasmic-action.model.yml | 0 .../preactjs_compressed-size-action.model.yml | 0 .../{ => manual}/py-actions_flake8.model.yml | 0 ...py-actions_py-dependency-install.model.yml | 0 .../pyo3_maturin-action.model.yml | 0 ...vecircus_android-emulator-runner.model.yml | 0 ...bers-in-action_download-artifact.model.yml | 0 .../reggionick_s3-deploy.model.yml | 0 .../renovatebot_github-action.model.yml | 0 .../roots_issue-closer-action.model.yml | 0 .../ros-tooling_setup-ros.model.yml | 0 .../{ => manual}/ruby_setup-ruby.model.yml | 0 ...ction-detect-and-tag-new-version.model.yml | 0 .../sergeysova_jq-action.model.yml | 0 ...shallwefootball_upload-s3-action.model.yml | 0 .../shogo82148_actions-setup-perl.model.yml | 0 ...skitionek_notify-microsoft-teams.model.yml | 0 .../snow-actions_eclint.model.yml | 0 .../stackhawk_hawkscan-action.model.yml | 0 .../step-security_harden-runner.model.yml | 0 .../suisei-cn_actions-download-file.model.yml | 0 .../{ => manual}/tibdex_backport.model.yml | 0 .../timheuer_base64-to-file.model.yml | 0 .../tj-actions_branch-names.model.yml | 0 .../trilom_file-changes-action.model.yml | 0 ...ss_conventional-changelog-action.model.yml | 0 .../tryghost_action-deploy-theme.model.yml | 0 .../tzkhan_pr-update-action.model.yml | 0 .../veracode_veracode-sca.model.yml | 0 .../wearerequired_lint-action.model.yml | 0 .../webfactory_ssh-agent.model.yml | 0 .../xt0rted_slash-command-action.model.yml | 0 .../zaproxy_action-baseline.model.yml | 0 .../zaproxy_action-full-scan.model.yml | 0 ql/lib/qlpack.yml | 6 +- ql/test/library-tests/workflowenum.ql | 2 +- 150 files changed, 224 insertions(+), 148 deletions(-) create mode 100644 ql/lib/codeql/actions/config/Config.qll create mode 100644 ql/lib/codeql/actions/config/ConfigExtensions.qll rename ql/lib/ext/{workflow-models/workflow-models.yml => config/context_event_map.yml} (78%) create mode 100644 ql/lib/ext/config/externally_triggereable_events.yml create mode 100644 ql/lib/ext/config/poisonable_steps.yml create mode 100644 ql/lib/ext/config/workflow_runtime_data.yml rename ql/lib/ext/{ => manual}/8398a7_action-slack.model.yml (100%) rename ql/lib/ext/{ => manual}/SonarSource_sonarcloud-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/actions_github-script.model.yml (100%) rename ql/lib/ext/{ => manual}/ahmadnassri_action-changed-files.model.yml (100%) rename ql/lib/ext/{ => manual}/akhileshns_heroku-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/amannn_action-semantic-pull-request.model.yml (100%) rename ql/lib/ext/{ => manual}/anchore_sbom-action.model.yml (100%) rename ql/lib/ext/{ => manual}/anchore_scan-action.model.yml (100%) rename ql/lib/ext/{ => manual}/andresz1_size-limit-action.model.yml (100%) rename ql/lib/ext/{ => manual}/android-actions_setup-android.model.yml (100%) rename ql/lib/ext/{ => manual}/apple-actions_import-codesign-certs.model.yml (100%) rename ql/lib/ext/{ => manual}/asdf-vm_actions.model.yml (100%) rename ql/lib/ext/{ => manual}/ashley-taylor_read-json-property-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ashley-taylor_regex-property-action.model.yml (100%) rename ql/lib/ext/{ => manual}/aszc_change-string-case-action.model.yml (100%) rename ql/lib/ext/{ => manual}/aws-actions_configure-aws-credentials.model.yml (100%) rename ql/lib/ext/{ => manual}/axel-op_googlejavaformat-action.model.yml (100%) rename ql/lib/ext/{ => manual}/azure_powershell.model.yml (100%) rename ql/lib/ext/{ => manual}/bahmutov_npm-install.model.yml (100%) rename ql/lib/ext/{ => manual}/blackducksoftware_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bobheadxi_deployments.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-breaking-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/bufbuild_buf-setup-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cachix_cachix-action.model.yml (100%) rename ql/lib/ext/{ => manual}/changesets_action.model.yml (100%) rename ql/lib/ext/{ => manual}/cloudflare_wrangler-action.model.yml (100%) rename ql/lib/ext/{ => manual}/coursier_cache-action.model.yml (100%) rename ql/lib/ext/{ => manual}/crazy-max_ghaction-chocolatey.model.yml (100%) rename ql/lib/ext/{ => manual}/crazy-max_ghaction-import-gpg.model.yml (100%) rename ql/lib/ext/{ => manual}/csexton_release-asset-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cycjimmy_semantic-release-action.model.yml (100%) rename ql/lib/ext/{ => manual}/cypress-io_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/dailydotdev_action-devcard.model.yml (100%) rename ql/lib/ext/{ => manual}/danielpalme_reportgenerator-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/daspn_private-actions-checkout.model.yml (100%) rename ql/lib/ext/{ => manual}/dawidd6_action-ansible-playbook.model.yml (100%) rename ql/lib/ext/{ => manual}/dawidd6_action-download-artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/delaguardo_setup-clojure.model.yml (100%) rename ql/lib/ext/{ => manual}/determinatesystems_magic-nix-cache-action.model.yml (100%) rename ql/lib/ext/{ => manual}/docker-practice_actions-setup-docker.model.yml (100%) rename ql/lib/ext/{ => manual}/docker_build-push-action.model.yml (100%) rename ql/lib/ext/{ => manual}/endbug_latest-tag.model.yml (100%) rename ql/lib/ext/{ => manual}/expo_expo-github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/firebaseextended_action-hosting-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/frabert_replace-string-action.model.yml (100%) rename ql/lib/ext/{ => manual}/franzdiebold_github-env-vars-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gabrielbb_xvfb-action.model.yml (100%) rename ql/lib/ext/{ => manual}/game-ci_unity-builder.model.yml (100%) rename ql/lib/ext/{ => manual}/game-ci_unity-test-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/gautamkrishnar_blog-post-workflow.model.yml (100%) rename ql/lib/ext/{ => manual}/getsentry_action-release.model.yml (100%) rename ql/lib/ext/{ => manual}/github_codeql-action.model.yml (100%) rename ql/lib/ext/{ => manual}/go-semantic-release_action.model.yml (100%) rename ql/lib/ext/{ => manual}/golangci_golangci-lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gonuit_heroku-docker-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/goreleaser_goreleaser-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gr2m_create-or-update-pull-request-action.model.yml (100%) rename ql/lib/ext/{ => manual}/gradle_gradle-build-action.model.yml (100%) rename ql/lib/ext/{ => manual}/haya14busa_action-cond.model.yml (100%) rename ql/lib/ext/{ => manual}/hexlet_project-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ilammy_msvc-dev-cmd.model.yml (100%) rename ql/lib/ext/{ => manual}/ilammy_setup-nasm.model.yml (100%) rename ql/lib/ext/{ => manual}/imjohnbo_issue-bot.model.yml (100%) rename ql/lib/ext/{ => manual}/iterative_setup-cml.model.yml (100%) rename ql/lib/ext/{ => manual}/iterative_setup-dvc.model.yml (100%) rename ql/lib/ext/{ => manual}/jamesives_github-pages-deploy-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jitterbit_get-changed-files.model.yml (100%) rename ql/lib/ext/{ => manual}/johnnymorganz_stylua-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jsdaniell_create-json.model.yml (100%) rename ql/lib/ext/{ => manual}/jurplel_install-qt-action.model.yml (100%) rename ql/lib/ext/{ => manual}/jwalton_gh-ecr-push.model.yml (100%) rename ql/lib/ext/{ => manual}/khan_pull-request-comment-trigger.model.yml (100%) rename ql/lib/ext/{ => manual}/larsoner_circleci-artifacts-redirector-action.model.yml (100%) rename ql/lib/ext/{ => manual}/leafo_gh-actions-lua.model.yml (100%) rename ql/lib/ext/{ => manual}/leafo_gh-actions-luarocks.model.yml (100%) rename ql/lib/ext/{ => manual}/lucasbento_auto-close-issues.model.yml (100%) rename ql/lib/ext/{ => manual}/mad9000_actions-find-and-replace-string.model.yml (100%) rename ql/lib/ext/{ => manual}/magefile_mage-action.model.yml (100%) rename ql/lib/ext/{ => manual}/maierj_fastlane-action.model.yml (100%) rename ql/lib/ext/{ => manual}/manusa_actions-setup-minikube.model.yml (100%) rename ql/lib/ext/{ => manual}/marocchino_on_artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/mattdavis0351_actions.model.yml (100%) rename ql/lib/ext/{ => manual}/meteorengineer_setup-meteor.model.yml (100%) rename ql/lib/ext/{ => manual}/metro-digital_setup-tools-for-waas.model.yml (100%) rename ql/lib/ext/{ => manual}/microsoft_setup-msbuild.model.yml (100%) rename ql/lib/ext/{ => manual}/mishakav_pytest-coverage-comment.model.yml (100%) rename ql/lib/ext/{ => manual}/mr-smithers-excellent_docker-build-push.model.yml (100%) rename ql/lib/ext/{ => manual}/msys2_setup-msys2.model.yml (100%) rename ql/lib/ext/{ => manual}/mxschmitt_action-tmate.model.yml (100%) rename ql/lib/ext/{ => manual}/mymindstorm_setup-emsdk.model.yml (100%) rename ql/lib/ext/{ => manual}/nanasess_setup-chromedriver.model.yml (100%) rename ql/lib/ext/{ => manual}/nanasess_setup-php.model.yml (100%) rename ql/lib/ext/{ => manual}/nick-fields_retry.model.yml (100%) rename ql/lib/ext/{ => manual}/octokit_graphql-action.model.yml (100%) rename ql/lib/ext/{ => manual}/octokit_request-action.model.yml (100%) rename ql/lib/ext/{ => manual}/olafurpg_setup-scala.model.yml (100%) rename ql/lib/ext/{ => manual}/paambaati_codeclimate-action.model.yml (100%) rename ql/lib/ext/{ => manual}/peter-evans_create-pull-request.model.yml (100%) rename ql/lib/ext/{ => manual}/peter-murray_issue-body-parser-action.model.yml (100%) rename ql/lib/ext/{ => manual}/plasmicapp_plasmic-action.model.yml (100%) rename ql/lib/ext/{ => manual}/preactjs_compressed-size-action.model.yml (100%) rename ql/lib/ext/{ => manual}/py-actions_flake8.model.yml (100%) rename ql/lib/ext/{ => manual}/py-actions_py-dependency-install.model.yml (100%) rename ql/lib/ext/{ => manual}/pyo3_maturin-action.model.yml (100%) rename ql/lib/ext/{ => manual}/reactivecircus_android-emulator-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/redhat-plumbers-in-action_download-artifact.model.yml (100%) rename ql/lib/ext/{ => manual}/reggionick_s3-deploy.model.yml (100%) rename ql/lib/ext/{ => manual}/renovatebot_github-action.model.yml (100%) rename ql/lib/ext/{ => manual}/roots_issue-closer-action.model.yml (100%) rename ql/lib/ext/{ => manual}/ros-tooling_setup-ros.model.yml (100%) rename ql/lib/ext/{ => manual}/ruby_setup-ruby.model.yml (100%) rename ql/lib/ext/{ => manual}/salsify_action-detect-and-tag-new-version.model.yml (100%) rename ql/lib/ext/{ => manual}/sergeysova_jq-action.model.yml (100%) rename ql/lib/ext/{ => manual}/shallwefootball_upload-s3-action.model.yml (100%) rename ql/lib/ext/{ => manual}/shogo82148_actions-setup-perl.model.yml (100%) rename ql/lib/ext/{ => manual}/skitionek_notify-microsoft-teams.model.yml (100%) rename ql/lib/ext/{ => manual}/snow-actions_eclint.model.yml (100%) rename ql/lib/ext/{ => manual}/stackhawk_hawkscan-action.model.yml (100%) rename ql/lib/ext/{ => manual}/step-security_harden-runner.model.yml (100%) rename ql/lib/ext/{ => manual}/suisei-cn_actions-download-file.model.yml (100%) rename ql/lib/ext/{ => manual}/tibdex_backport.model.yml (100%) rename ql/lib/ext/{ => manual}/timheuer_base64-to-file.model.yml (100%) rename ql/lib/ext/{ => manual}/tj-actions_branch-names.model.yml (100%) rename ql/lib/ext/{ => manual}/trilom_file-changes-action.model.yml (100%) rename ql/lib/ext/{ => manual}/tripss_conventional-changelog-action.model.yml (100%) rename ql/lib/ext/{ => manual}/tryghost_action-deploy-theme.model.yml (100%) rename ql/lib/ext/{ => manual}/tzkhan_pr-update-action.model.yml (100%) rename ql/lib/ext/{ => manual}/veracode_veracode-sca.model.yml (100%) rename ql/lib/ext/{ => manual}/wearerequired_lint-action.model.yml (100%) rename ql/lib/ext/{ => manual}/webfactory_ssh-agent.model.yml (100%) rename ql/lib/ext/{ => manual}/xt0rted_slash-command-action.model.yml (100%) rename ql/lib/ext/{ => manual}/zaproxy_action-baseline.model.yml (100%) rename ql/lib/ext/{ => manual}/zaproxy_action-full-scan.model.yml (100%) diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll index da54833e9a6..8d965c3e4c7 100644 --- a/ql/lib/codeql/actions/ast/internal/Ast.qll +++ b/ql/lib/codeql/actions/ast/internal/Ast.qll @@ -1,7 +1,7 @@ private import codeql.actions.ast.internal.Yaml private import codeql.Locations private import codeql.actions.Helper -private import codeql.actions.dataflow.ExternalFlow +private import codeql.actions.config.Config /** * Gets the length of each line in the StringValue . diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll new file mode 100644 index 00000000000..d6a85c426c6 --- /dev/null +++ b/ql/lib/codeql/actions/config/Config.qll @@ -0,0 +1,74 @@ +import ConfigExtensions as Extensions + +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ +predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +) { + Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) +} + +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { + Extensions::repositoryDataModel(visibility, default_branch_name) +} + +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + +/** + * MaD models for externally triggerable events + * Fields: + * - event: Event name + */ +predicate externallyTriggerableEventsDataModel(string event) { + Extensions::externallyTriggerableEventsDataModel(event) +} + +/** + * MaD models for poisonable commands + * Fields: + * - regexp: Regular expression for matching poisonable commands + */ +predicate poisonableCommandsDataModel(string regexp) { + Extensions::poisonableCommandsDataModel(regexp) +} + +/** + * MaD models for poisonable local scripts + * Fields: + * - regexp: Regular expression for matching poisonable local scripts + * - group: Script capture group number for the regular expression + */ +predicate poisonableLocalScriptsDataModel(string regexp, int group) { + Extensions::poisonableLocalScriptsDataModel(regexp, group) +} + +/** + * MaD models for poisonable actions + * Fields: + * - action: action name + */ +predicate poisonableActionsDataModel(string action) { + Extensions::poisonableActionsDataModel(action) +} diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll new file mode 100644 index 00000000000..3ca4b6a7559 --- /dev/null +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -0,0 +1,41 @@ +/** + * This module provides extensible predicates for defining MaD models. + */ + +/** + * Holds if workflow data model exists for the given parameters. + */ +extensible predicate workflowDataModel( + string path, string trigger, string job, string secrets_source, string permissions, string runner +); + +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if a context expression starting with context_prefix is available for a given trigger. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); + +/** + * Holds if a given trigger event can be fired by an external actor. + */ +extensible predicate externallyTriggerableEventsDataModel(string event); + +/** + * Holds for strings that match poisonable commands. + */ +extensible predicate poisonableCommandsDataModel(string regexp); + +/** + * Holds for strings that match poisonable local scripts. + */ +extensible predicate poisonableLocalScriptsDataModel(string regexp, int group); + +/** + * Holds for actions that can be poisoned through local files. + */ +extensible predicate poisonableActionsDataModel(string action); + diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index d0b84f918d5..2cb8c56b147 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,51 +2,6 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions -/** - * MaD models for workflow details - * Fields: - * - path: Path to the workflow file - * - trigger: Trigger for the workflow - * - job: Job name - * - secrets_source: Source of secrets - * - permissions: Permissions for the workflow - * - runner: Runner info for the workflow - */ -predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -) { - Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) -} - -/** - * MaD models for repository details - * Fields: - * - visibility: Visibility of the repository - * - default_branch_name: Default branch name - */ -predicate repositoryDataModel(string visibility, string default_branch_name) { - Extensions::repositoryDataModel(visibility, default_branch_name) -} - -/** - * MaD models for context/trigger mapping - * Fields: - * - trigger: Trigger for the workflow - * - context_prefix: Prefix for the context - */ -predicate contextTriggerDataModel(string trigger, string context_prefix) { - Extensions::contextTriggerDataModel(trigger, context_prefix) -} - -/** - * MaD models for externally triggerable events - * Fields: - * - event: Event name - */ -predicate externallyTriggerableEventsDataModel(string event) { - Extensions::externallyTriggerableEventsDataModel(event) -} - /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 7217796d138..b09664359ab 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -1,5 +1,6 @@ -private import codeql.actions.dataflow.ExternalFlow private import codeql.actions.security.ArtifactPoisoningQuery +private import codeql.actions.config.Config +private import codeql.actions.dataflow.ExternalFlow /** * A data flow source. diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 05f71cfc0be..bd9d73b4170 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -22,25 +22,3 @@ extensible predicate actionsSummaryModel( extensible predicate actionsSinkModel( string action, string version, string input, string kind, string provenance ); - -/** - * Holds if workflow data model exists for the given parameters. - */ -extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, string runner -); - -/** - * Holds if repository data model exists for the given parameters. - */ -extensible predicate repositoryDataModel(string visibility, string default_branch_name); - -/** - * Holds if a context expression starting with context_prefix is available for a given trigger. - */ -extensible predicate contextTriggerDataModel(string trigger, string context_prefix); - -/** - * Holds if a given trigger event can be fired by an external actor. - */ -extensible predicate externallyTriggerableEventsDataModel(string event); diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index 44c3c64a5a6..d2853591d61 100644 --- a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -254,8 +254,8 @@ class ArtifactPoisoningSink extends DataFlow::Node { poisonable.(UsesStep) = this.asExpr() ) and ( - not poisonable instanceof LocalCommandExecutionRunStep or - poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%") + not poisonable instanceof LocalScriptExecutionRunStep or + poisonable.(LocalScriptExecutionRunStep).getCommand().matches(download.getPath() + "%") ) ) } diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll index e80ea71c958..1a3e7b2b2f7 100644 --- a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll +++ b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config string defaultBranchTriggerEvent() { result = diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll index b1d5269d44a..d9978b2a423 100644 --- a/ql/lib/codeql/actions/security/PoisonableSteps.qll +++ b/ql/lib/codeql/actions/security/PoisonableSteps.qll @@ -1,67 +1,35 @@ import actions +import codeql.actions.config.Config abstract class PoisonableStep extends Step { } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 private string dangerousActions() { - result = - [ - "pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", - "ruby/setup-ruby", "actions/jekyll-build-pages" - ] + exists(string action | + poisonableActionsDataModel(action) and + result = action + ) } class DangerousActionUsesStep extends PoisonableStep, UsesStep { DangerousActionUsesStep() { this.getCallee() = dangerousActions() } } -// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 -private string dangerousCommands() { - result = - [ - "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan", - "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate", - "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build", - "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install", - "poetry run", "cargo " - ] -} - -class BuildRunStep extends PoisonableStep, Run { - BuildRunStep() { - exists( - this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _) +class PoisonableCommandStep extends PoisonableStep, Run { + PoisonableCommandStep() { + exists(string regexp | + poisonableCommandsDataModel(regexp) and + exists(this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + regexp, _, _)) ) } } -bindingset[cmdRegexp] -string wrapLocalCmd(string cmdRegexp) { result = "(^|;\\s*|\\s+)" + cmdRegexp + "(\\s+|;|$)" } - -class LocalCommandExecutionRunStep extends PoisonableStep, Run { +class LocalScriptExecutionRunStep extends PoisonableStep, Run { string cmd; - LocalCommandExecutionRunStep() { - // Heuristic: - exists(string line | line = this.getScript().splitAt("\n").trim() | - // ./xxxx - // TODO: It could also be in the form of `dir/cmd` - cmd = line.regexpCapture(wrapLocalCmd("\\.\\/(.*)"), 2) - or - // sh xxxx - cmd = line.regexpCapture(wrapLocalCmd("(ba|z|fi)?sh\\s+(.*)"), 3) - or - // node xxxx.js - cmd = line.regexpCapture(wrapLocalCmd("node\\s+(.*)(\\.js|\\.ts)"), 2) - or - // python xxxx.py - cmd = line.regexpCapture(wrapLocalCmd("python\\s+(.*)\\.py"), 2) - or - // ruby xxxx.rb - cmd = line.regexpCapture(wrapLocalCmd("ruby\\s+(.*)\\.rb"), 2) - or - // go xxxx.go - cmd = line.regexpCapture(wrapLocalCmd("go\\s+(.*)\\.go"), 2) + LocalScriptExecutionRunStep() { + exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() | + poisonableLocalScriptsDataModel(regexp, group) and + cmd = line.regexpCapture(regexp, group) ) } diff --git a/ql/lib/codeql/actions/security/SelfHostedQuery.qll b/ql/lib/codeql/actions/security/SelfHostedQuery.qll index 03b6c87405e..419b2ac81a9 100644 --- a/ql/lib/codeql/actions/security/SelfHostedQuery.qll +++ b/ql/lib/codeql/actions/security/SelfHostedQuery.qll @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.ExternalFlow +import codeql.actions.config.Config bindingset[runner] predicate isGithubHostedRunner(string runner) { diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/config/context_event_map.yml similarity index 78% rename from ql/lib/ext/workflow-models/workflow-models.yml rename to ql/lib/ext/config/context_event_map.yml index 1f0401e8e61..e09dab14f2b 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/config/context_event_map.yml @@ -1,12 +1,4 @@ extensions: - - addsTo: - pack: github/actions-all - extensible: repositoryDataModel - data: [] - - addsTo: - pack: github/actions-all - extensible: workflowDataModel - data: [] - addsTo: pack: github/actions-all extensible: contextTriggerDataModel @@ -54,19 +46,4 @@ extensions: - ["workflow_call", "github.event.review"] - ["workflow_call", "github.event.workflow"] - ["workflow_call", "github.event.workflow_run"] - - addsTo: - pack: github/actions-all - extensible: externallyTriggerableEventsDataModel - data: - - ["discussion"] - - ["discussion_comment"] - - ["fork"] - - ["issue_comment"] - - ["issues"] - - ["pull_request"] - - ["pull_request_comment"] - - ["pull_request_review"] - - ["pull_request_review_comment"] - - ["pull_request_target"] - - ["workflow_run"] # depending on trigger workflow - - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/externally_triggereable_events.yml b/ql/lib/ext/config/externally_triggereable_events.yml new file mode 100644 index 00000000000..88d17c728b7 --- /dev/null +++ b/ql/lib/ext/config/externally_triggereable_events.yml @@ -0,0 +1,18 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: externallyTriggerableEventsDataModel + data: + - ["discussion"] + - ["discussion_comment"] + - ["fork"] + - ["issue_comment"] + - ["issues"] + - ["pull_request"] + - ["pull_request_comment"] + - ["pull_request_review"] + - ["pull_request_review_comment"] + - ["pull_request_target"] + - ["workflow_run"] # depending on trigger workflow + - ["workflow_call"] # depending on caller + diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml new file mode 100644 index 00000000000..9a9af08872c --- /dev/null +++ b/ql/lib/ext/config/poisonable_steps.yml @@ -0,0 +1,55 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: poisonableActionsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["pre-commit/action"] + - ["oxsecurity/megalinter"] + - ["bridgecrewio/checkov-action"] + - ["ruby/setup-ruby"] + - ["actions/jekyll-build-pages"] + - addsTo: + pack: github/actions-all + extensible: poisonableCommandsDataModel + # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23 + # source: https://boostsecurityio.github.io/lotp/ + data: + - ["ant "] + - ["bundle install"] + - ["bundle exec "] + - ["cargo "] + - ["go generate"] + - ["gomplate "] + - ["gradle "] + - ["java -jar "] + - ["make "] + - ["mkdocs build"] + - ["msbuild "] + - ["mvn "] + - ["npm i(nstall)?(\\b|$)"] + - ["npm run "] + - ["npm ci(\\b|$)"] + - ["pip install -r "] + - ["pip install --requirement"] + - ["poetry install"] + - ["poetry run"] + - ["pre-commit run"] + - ["pre-commit install"] + - ["pytest"] + - ["terraform plan"] + - ["terraform apply"] + - ["yarn "] + - addsTo: + pack: github/actions-all + extensible: poisonableLocalScriptsDataModel + data: + # TODO: It could also be in the form of `dir/cmd` + - ["(^|;\\s*|\\s+)(\\.\\/)(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(source|sh|bash|zsh|fish)\\s+(.*)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(node)\\s+(.*)(\\.js|\\.ts)(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(python)\\s+(.*)\\.py(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(ruby)\\s+(.*)\\.rb(\\s+|;|$)", 3] + - ["(^|;\\s*|\\s+)(go)\\s+(.*)\\.go(\\s+|;|$)", 3] + diff --git a/ql/lib/ext/config/workflow_runtime_data.yml b/ql/lib/ext/config/workflow_runtime_data.yml new file mode 100644 index 00000000000..88e266d8142 --- /dev/null +++ b/ql/lib/ext/config/workflow_runtime_data.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: repositoryDataModel + data: [] + - addsTo: + pack: github/actions-all + extensible: workflowDataModel + data: [] diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/manual/8398a7_action-slack.model.yml similarity index 100% rename from ql/lib/ext/8398a7_action-slack.model.yml rename to ql/lib/ext/manual/8398a7_action-slack.model.yml diff --git a/ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml b/ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml similarity index 100% rename from ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml rename to ql/lib/ext/manual/SonarSource_sonarcloud-github-action.model.yml diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/manual/actions_github-script.model.yml similarity index 100% rename from ql/lib/ext/actions_github-script.model.yml rename to ql/lib/ext/manual/actions_github-script.model.yml diff --git a/ql/lib/ext/ahmadnassri_action-changed-files.model.yml b/ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml similarity index 100% rename from ql/lib/ext/ahmadnassri_action-changed-files.model.yml rename to ql/lib/ext/manual/ahmadnassri_action-changed-files.model.yml diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml similarity index 100% rename from ql/lib/ext/akhileshns_heroku-deploy.model.yml rename to ql/lib/ext/manual/akhileshns_heroku-deploy.model.yml diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml similarity index 100% rename from ql/lib/ext/amannn_action-semantic-pull-request.model.yml rename to ql/lib/ext/manual/amannn_action-semantic-pull-request.model.yml diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/manual/anchore_sbom-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_sbom-action.model.yml rename to ql/lib/ext/manual/anchore_sbom-action.model.yml diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/manual/anchore_scan-action.model.yml similarity index 100% rename from ql/lib/ext/anchore_scan-action.model.yml rename to ql/lib/ext/manual/anchore_scan-action.model.yml diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/manual/andresz1_size-limit-action.model.yml similarity index 100% rename from ql/lib/ext/andresz1_size-limit-action.model.yml rename to ql/lib/ext/manual/andresz1_size-limit-action.model.yml diff --git a/ql/lib/ext/android-actions_setup-android.model.yml b/ql/lib/ext/manual/android-actions_setup-android.model.yml similarity index 100% rename from ql/lib/ext/android-actions_setup-android.model.yml rename to ql/lib/ext/manual/android-actions_setup-android.model.yml diff --git a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml b/ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml similarity index 100% rename from ql/lib/ext/apple-actions_import-codesign-certs.model.yml rename to ql/lib/ext/manual/apple-actions_import-codesign-certs.model.yml diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/manual/asdf-vm_actions.model.yml similarity index 100% rename from ql/lib/ext/asdf-vm_actions.model.yml rename to ql/lib/ext/manual/asdf-vm_actions.model.yml diff --git a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_read-json-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_read-json-property-action.model.yml diff --git a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml b/ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml similarity index 100% rename from ql/lib/ext/ashley-taylor_regex-property-action.model.yml rename to ql/lib/ext/manual/ashley-taylor_regex-property-action.model.yml diff --git a/ql/lib/ext/aszc_change-string-case-action.model.yml b/ql/lib/ext/manual/aszc_change-string-case-action.model.yml similarity index 100% rename from ql/lib/ext/aszc_change-string-case-action.model.yml rename to ql/lib/ext/manual/aszc_change-string-case-action.model.yml diff --git a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml b/ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml similarity index 100% rename from ql/lib/ext/aws-actions_configure-aws-credentials.model.yml rename to ql/lib/ext/manual/aws-actions_configure-aws-credentials.model.yml diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml similarity index 100% rename from ql/lib/ext/axel-op_googlejavaformat-action.model.yml rename to ql/lib/ext/manual/axel-op_googlejavaformat-action.model.yml diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/manual/azure_powershell.model.yml similarity index 100% rename from ql/lib/ext/azure_powershell.model.yml rename to ql/lib/ext/manual/azure_powershell.model.yml diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/manual/bahmutov_npm-install.model.yml similarity index 100% rename from ql/lib/ext/bahmutov_npm-install.model.yml rename to ql/lib/ext/manual/bahmutov_npm-install.model.yml diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/manual/blackducksoftware_github-action.model.yml similarity index 100% rename from ql/lib/ext/blackducksoftware_github-action.model.yml rename to ql/lib/ext/manual/blackducksoftware_github-action.model.yml diff --git a/ql/lib/ext/bobheadxi_deployments.model.yml b/ql/lib/ext/manual/bobheadxi_deployments.model.yml similarity index 100% rename from ql/lib/ext/bobheadxi_deployments.model.yml rename to ql/lib/ext/manual/bobheadxi_deployments.model.yml diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-breaking-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-breaking-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-lint-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-lint-action.model.yml diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml similarity index 100% rename from ql/lib/ext/bufbuild_buf-setup-action.model.yml rename to ql/lib/ext/manual/bufbuild_buf-setup-action.model.yml diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/manual/cachix_cachix-action.model.yml similarity index 100% rename from ql/lib/ext/cachix_cachix-action.model.yml rename to ql/lib/ext/manual/cachix_cachix-action.model.yml diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/manual/changesets_action.model.yml similarity index 100% rename from ql/lib/ext/changesets_action.model.yml rename to ql/lib/ext/manual/changesets_action.model.yml diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/manual/cloudflare_wrangler-action.model.yml similarity index 100% rename from ql/lib/ext/cloudflare_wrangler-action.model.yml rename to ql/lib/ext/manual/cloudflare_wrangler-action.model.yml diff --git a/ql/lib/ext/coursier_cache-action.model.yml b/ql/lib/ext/manual/coursier_cache-action.model.yml similarity index 100% rename from ql/lib/ext/coursier_cache-action.model.yml rename to ql/lib/ext/manual/coursier_cache-action.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-chocolatey.model.yml diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml similarity index 100% rename from ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml rename to ql/lib/ext/manual/crazy-max_ghaction-import-gpg.model.yml diff --git a/ql/lib/ext/csexton_release-asset-action.model.yml b/ql/lib/ext/manual/csexton_release-asset-action.model.yml similarity index 100% rename from ql/lib/ext/csexton_release-asset-action.model.yml rename to ql/lib/ext/manual/csexton_release-asset-action.model.yml diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml similarity index 100% rename from ql/lib/ext/cycjimmy_semantic-release-action.model.yml rename to ql/lib/ext/manual/cycjimmy_semantic-release-action.model.yml diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/manual/cypress-io_github-action.model.yml similarity index 100% rename from ql/lib/ext/cypress-io_github-action.model.yml rename to ql/lib/ext/manual/cypress-io_github-action.model.yml diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/manual/dailydotdev_action-devcard.model.yml similarity index 100% rename from ql/lib/ext/dailydotdev_action-devcard.model.yml rename to ql/lib/ext/manual/dailydotdev_action-devcard.model.yml diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml similarity index 100% rename from ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml rename to ql/lib/ext/manual/danielpalme_reportgenerator-github-action.model.yml diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/manual/daspn_private-actions-checkout.model.yml similarity index 100% rename from ql/lib/ext/daspn_private-actions-checkout.model.yml rename to ql/lib/ext/manual/daspn_private-actions-checkout.model.yml diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-ansible-playbook.model.yml rename to ql/lib/ext/manual/dawidd6_action-ansible-playbook.model.yml diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml similarity index 100% rename from ql/lib/ext/dawidd6_action-download-artifact.model.yml rename to ql/lib/ext/manual/dawidd6_action-download-artifact.model.yml diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/manual/delaguardo_setup-clojure.model.yml similarity index 100% rename from ql/lib/ext/delaguardo_setup-clojure.model.yml rename to ql/lib/ext/manual/delaguardo_setup-clojure.model.yml diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml similarity index 100% rename from ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml rename to ql/lib/ext/manual/determinatesystems_magic-nix-cache-action.model.yml diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml similarity index 100% rename from ql/lib/ext/docker-practice_actions-setup-docker.model.yml rename to ql/lib/ext/manual/docker-practice_actions-setup-docker.model.yml diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/manual/docker_build-push-action.model.yml similarity index 100% rename from ql/lib/ext/docker_build-push-action.model.yml rename to ql/lib/ext/manual/docker_build-push-action.model.yml diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/manual/endbug_latest-tag.model.yml similarity index 100% rename from ql/lib/ext/endbug_latest-tag.model.yml rename to ql/lib/ext/manual/endbug_latest-tag.model.yml diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/manual/expo_expo-github-action.model.yml similarity index 100% rename from ql/lib/ext/expo_expo-github-action.model.yml rename to ql/lib/ext/manual/expo_expo-github-action.model.yml diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml similarity index 100% rename from ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml rename to ql/lib/ext/manual/firebaseextended_action-hosting-deploy.model.yml diff --git a/ql/lib/ext/frabert_replace-string-action.model.yml b/ql/lib/ext/manual/frabert_replace-string-action.model.yml similarity index 100% rename from ql/lib/ext/frabert_replace-string-action.model.yml rename to ql/lib/ext/manual/frabert_replace-string-action.model.yml diff --git a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml b/ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml similarity index 100% rename from ql/lib/ext/franzdiebold_github-env-vars-action.model.yml rename to ql/lib/ext/manual/franzdiebold_github-env-vars-action.model.yml diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml similarity index 100% rename from ql/lib/ext/gabrielbb_xvfb-action.model.yml rename to ql/lib/ext/manual/gabrielbb_xvfb-action.model.yml diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/manual/game-ci_unity-builder.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-builder.model.yml rename to ql/lib/ext/manual/game-ci_unity-builder.model.yml diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/manual/game-ci_unity-test-runner.model.yml similarity index 100% rename from ql/lib/ext/game-ci_unity-test-runner.model.yml rename to ql/lib/ext/manual/game-ci_unity-test-runner.model.yml diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml similarity index 100% rename from ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml rename to ql/lib/ext/manual/gautamkrishnar_blog-post-workflow.model.yml diff --git a/ql/lib/ext/getsentry_action-release.model.yml b/ql/lib/ext/manual/getsentry_action-release.model.yml similarity index 100% rename from ql/lib/ext/getsentry_action-release.model.yml rename to ql/lib/ext/manual/getsentry_action-release.model.yml diff --git a/ql/lib/ext/github_codeql-action.model.yml b/ql/lib/ext/manual/github_codeql-action.model.yml similarity index 100% rename from ql/lib/ext/github_codeql-action.model.yml rename to ql/lib/ext/manual/github_codeql-action.model.yml diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/manual/go-semantic-release_action.model.yml similarity index 100% rename from ql/lib/ext/go-semantic-release_action.model.yml rename to ql/lib/ext/manual/go-semantic-release_action.model.yml diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/manual/golangci_golangci-lint-action.model.yml similarity index 100% rename from ql/lib/ext/golangci_golangci-lint-action.model.yml rename to ql/lib/ext/manual/golangci_golangci-lint-action.model.yml diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml similarity index 100% rename from ql/lib/ext/gonuit_heroku-docker-deploy.model.yml rename to ql/lib/ext/manual/gonuit_heroku-docker-deploy.model.yml diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml similarity index 100% rename from ql/lib/ext/goreleaser_goreleaser-action.model.yml rename to ql/lib/ext/manual/goreleaser_goreleaser-action.model.yml diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml similarity index 100% rename from ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml rename to ql/lib/ext/manual/gr2m_create-or-update-pull-request-action.model.yml diff --git a/ql/lib/ext/gradle_gradle-build-action.model.yml b/ql/lib/ext/manual/gradle_gradle-build-action.model.yml similarity index 100% rename from ql/lib/ext/gradle_gradle-build-action.model.yml rename to ql/lib/ext/manual/gradle_gradle-build-action.model.yml diff --git a/ql/lib/ext/haya14busa_action-cond.model.yml b/ql/lib/ext/manual/haya14busa_action-cond.model.yml similarity index 100% rename from ql/lib/ext/haya14busa_action-cond.model.yml rename to ql/lib/ext/manual/haya14busa_action-cond.model.yml diff --git a/ql/lib/ext/hexlet_project-action.model.yml b/ql/lib/ext/manual/hexlet_project-action.model.yml similarity index 100% rename from ql/lib/ext/hexlet_project-action.model.yml rename to ql/lib/ext/manual/hexlet_project-action.model.yml diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml similarity index 100% rename from ql/lib/ext/ilammy_msvc-dev-cmd.model.yml rename to ql/lib/ext/manual/ilammy_msvc-dev-cmd.model.yml diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/manual/ilammy_setup-nasm.model.yml similarity index 100% rename from ql/lib/ext/ilammy_setup-nasm.model.yml rename to ql/lib/ext/manual/ilammy_setup-nasm.model.yml diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/manual/imjohnbo_issue-bot.model.yml similarity index 100% rename from ql/lib/ext/imjohnbo_issue-bot.model.yml rename to ql/lib/ext/manual/imjohnbo_issue-bot.model.yml diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/manual/iterative_setup-cml.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-cml.model.yml rename to ql/lib/ext/manual/iterative_setup-cml.model.yml diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/manual/iterative_setup-dvc.model.yml similarity index 100% rename from ql/lib/ext/iterative_setup-dvc.model.yml rename to ql/lib/ext/manual/iterative_setup-dvc.model.yml diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml similarity index 100% rename from ql/lib/ext/jamesives_github-pages-deploy-action.model.yml rename to ql/lib/ext/manual/jamesives_github-pages-deploy-action.model.yml diff --git a/ql/lib/ext/jitterbit_get-changed-files.model.yml b/ql/lib/ext/manual/jitterbit_get-changed-files.model.yml similarity index 100% rename from ql/lib/ext/jitterbit_get-changed-files.model.yml rename to ql/lib/ext/manual/jitterbit_get-changed-files.model.yml diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml similarity index 100% rename from ql/lib/ext/johnnymorganz_stylua-action.model.yml rename to ql/lib/ext/manual/johnnymorganz_stylua-action.model.yml diff --git a/ql/lib/ext/jsdaniell_create-json.model.yml b/ql/lib/ext/manual/jsdaniell_create-json.model.yml similarity index 100% rename from ql/lib/ext/jsdaniell_create-json.model.yml rename to ql/lib/ext/manual/jsdaniell_create-json.model.yml diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/manual/jurplel_install-qt-action.model.yml similarity index 100% rename from ql/lib/ext/jurplel_install-qt-action.model.yml rename to ql/lib/ext/manual/jurplel_install-qt-action.model.yml diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml similarity index 100% rename from ql/lib/ext/jwalton_gh-ecr-push.model.yml rename to ql/lib/ext/manual/jwalton_gh-ecr-push.model.yml diff --git a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml b/ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml similarity index 100% rename from ql/lib/ext/khan_pull-request-comment-trigger.model.yml rename to ql/lib/ext/manual/khan_pull-request-comment-trigger.model.yml diff --git a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml b/ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml similarity index 100% rename from ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml rename to ql/lib/ext/manual/larsoner_circleci-artifacts-redirector-action.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/manual/leafo_gh-actions-lua.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-lua.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-lua.model.yml diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml similarity index 100% rename from ql/lib/ext/leafo_gh-actions-luarocks.model.yml rename to ql/lib/ext/manual/leafo_gh-actions-luarocks.model.yml diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml similarity index 100% rename from ql/lib/ext/lucasbento_auto-close-issues.model.yml rename to ql/lib/ext/manual/lucasbento_auto-close-issues.model.yml diff --git a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml b/ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml similarity index 100% rename from ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml rename to ql/lib/ext/manual/mad9000_actions-find-and-replace-string.model.yml diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/manual/magefile_mage-action.model.yml similarity index 100% rename from ql/lib/ext/magefile_mage-action.model.yml rename to ql/lib/ext/manual/magefile_mage-action.model.yml diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/manual/maierj_fastlane-action.model.yml similarity index 100% rename from ql/lib/ext/maierj_fastlane-action.model.yml rename to ql/lib/ext/manual/maierj_fastlane-action.model.yml diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml similarity index 100% rename from ql/lib/ext/manusa_actions-setup-minikube.model.yml rename to ql/lib/ext/manual/manusa_actions-setup-minikube.model.yml diff --git a/ql/lib/ext/marocchino_on_artifact.model.yml b/ql/lib/ext/manual/marocchino_on_artifact.model.yml similarity index 100% rename from ql/lib/ext/marocchino_on_artifact.model.yml rename to ql/lib/ext/manual/marocchino_on_artifact.model.yml diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/manual/mattdavis0351_actions.model.yml similarity index 100% rename from ql/lib/ext/mattdavis0351_actions.model.yml rename to ql/lib/ext/manual/mattdavis0351_actions.model.yml diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml similarity index 100% rename from ql/lib/ext/meteorengineer_setup-meteor.model.yml rename to ql/lib/ext/manual/meteorengineer_setup-meteor.model.yml diff --git a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml b/ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml similarity index 100% rename from ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml rename to ql/lib/ext/manual/metro-digital_setup-tools-for-waas.model.yml diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/manual/microsoft_setup-msbuild.model.yml similarity index 100% rename from ql/lib/ext/microsoft_setup-msbuild.model.yml rename to ql/lib/ext/manual/microsoft_setup-msbuild.model.yml diff --git a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml b/ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml similarity index 100% rename from ql/lib/ext/mishakav_pytest-coverage-comment.model.yml rename to ql/lib/ext/manual/mishakav_pytest-coverage-comment.model.yml diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml similarity index 100% rename from ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml rename to ql/lib/ext/manual/mr-smithers-excellent_docker-build-push.model.yml diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/manual/msys2_setup-msys2.model.yml similarity index 100% rename from ql/lib/ext/msys2_setup-msys2.model.yml rename to ql/lib/ext/manual/msys2_setup-msys2.model.yml diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/manual/mxschmitt_action-tmate.model.yml similarity index 100% rename from ql/lib/ext/mxschmitt_action-tmate.model.yml rename to ql/lib/ext/manual/mxschmitt_action-tmate.model.yml diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml similarity index 100% rename from ql/lib/ext/mymindstorm_setup-emsdk.model.yml rename to ql/lib/ext/manual/mymindstorm_setup-emsdk.model.yml diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-chromedriver.model.yml rename to ql/lib/ext/manual/nanasess_setup-chromedriver.model.yml diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/manual/nanasess_setup-php.model.yml similarity index 100% rename from ql/lib/ext/nanasess_setup-php.model.yml rename to ql/lib/ext/manual/nanasess_setup-php.model.yml diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/manual/nick-fields_retry.model.yml similarity index 100% rename from ql/lib/ext/nick-fields_retry.model.yml rename to ql/lib/ext/manual/nick-fields_retry.model.yml diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/manual/octokit_graphql-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_graphql-action.model.yml rename to ql/lib/ext/manual/octokit_graphql-action.model.yml diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/manual/octokit_request-action.model.yml similarity index 100% rename from ql/lib/ext/octokit_request-action.model.yml rename to ql/lib/ext/manual/octokit_request-action.model.yml diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/manual/olafurpg_setup-scala.model.yml similarity index 100% rename from ql/lib/ext/olafurpg_setup-scala.model.yml rename to ql/lib/ext/manual/olafurpg_setup-scala.model.yml diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/manual/paambaati_codeclimate-action.model.yml similarity index 100% rename from ql/lib/ext/paambaati_codeclimate-action.model.yml rename to ql/lib/ext/manual/paambaati_codeclimate-action.model.yml diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/manual/peter-evans_create-pull-request.model.yml similarity index 100% rename from ql/lib/ext/peter-evans_create-pull-request.model.yml rename to ql/lib/ext/manual/peter-evans_create-pull-request.model.yml diff --git a/ql/lib/ext/peter-murray_issue-body-parser-action.model.yml b/ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml similarity index 100% rename from ql/lib/ext/peter-murray_issue-body-parser-action.model.yml rename to ql/lib/ext/manual/peter-murray_issue-body-parser-action.model.yml diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml similarity index 100% rename from ql/lib/ext/plasmicapp_plasmic-action.model.yml rename to ql/lib/ext/manual/plasmicapp_plasmic-action.model.yml diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/manual/preactjs_compressed-size-action.model.yml similarity index 100% rename from ql/lib/ext/preactjs_compressed-size-action.model.yml rename to ql/lib/ext/manual/preactjs_compressed-size-action.model.yml diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/manual/py-actions_flake8.model.yml similarity index 100% rename from ql/lib/ext/py-actions_flake8.model.yml rename to ql/lib/ext/manual/py-actions_flake8.model.yml diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/manual/py-actions_py-dependency-install.model.yml similarity index 100% rename from ql/lib/ext/py-actions_py-dependency-install.model.yml rename to ql/lib/ext/manual/py-actions_py-dependency-install.model.yml diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/manual/pyo3_maturin-action.model.yml similarity index 100% rename from ql/lib/ext/pyo3_maturin-action.model.yml rename to ql/lib/ext/manual/pyo3_maturin-action.model.yml diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml similarity index 100% rename from ql/lib/ext/reactivecircus_android-emulator-runner.model.yml rename to ql/lib/ext/manual/reactivecircus_android-emulator-runner.model.yml diff --git a/ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml b/ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml similarity index 100% rename from ql/lib/ext/redhat-plumbers-in-action_download-artifact.model.yml rename to ql/lib/ext/manual/redhat-plumbers-in-action_download-artifact.model.yml diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/manual/reggionick_s3-deploy.model.yml similarity index 100% rename from ql/lib/ext/reggionick_s3-deploy.model.yml rename to ql/lib/ext/manual/reggionick_s3-deploy.model.yml diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/manual/renovatebot_github-action.model.yml similarity index 100% rename from ql/lib/ext/renovatebot_github-action.model.yml rename to ql/lib/ext/manual/renovatebot_github-action.model.yml diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/manual/roots_issue-closer-action.model.yml similarity index 100% rename from ql/lib/ext/roots_issue-closer-action.model.yml rename to ql/lib/ext/manual/roots_issue-closer-action.model.yml diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/manual/ros-tooling_setup-ros.model.yml similarity index 100% rename from ql/lib/ext/ros-tooling_setup-ros.model.yml rename to ql/lib/ext/manual/ros-tooling_setup-ros.model.yml diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/manual/ruby_setup-ruby.model.yml similarity index 100% rename from ql/lib/ext/ruby_setup-ruby.model.yml rename to ql/lib/ext/manual/ruby_setup-ruby.model.yml diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml similarity index 100% rename from ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml rename to ql/lib/ext/manual/salsify_action-detect-and-tag-new-version.model.yml diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/manual/sergeysova_jq-action.model.yml similarity index 100% rename from ql/lib/ext/sergeysova_jq-action.model.yml rename to ql/lib/ext/manual/sergeysova_jq-action.model.yml diff --git a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml b/ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml similarity index 100% rename from ql/lib/ext/shallwefootball_upload-s3-action.model.yml rename to ql/lib/ext/manual/shallwefootball_upload-s3-action.model.yml diff --git a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml b/ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml similarity index 100% rename from ql/lib/ext/shogo82148_actions-setup-perl.model.yml rename to ql/lib/ext/manual/shogo82148_actions-setup-perl.model.yml diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml similarity index 100% rename from ql/lib/ext/skitionek_notify-microsoft-teams.model.yml rename to ql/lib/ext/manual/skitionek_notify-microsoft-teams.model.yml diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/manual/snow-actions_eclint.model.yml similarity index 100% rename from ql/lib/ext/snow-actions_eclint.model.yml rename to ql/lib/ext/manual/snow-actions_eclint.model.yml diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml similarity index 100% rename from ql/lib/ext/stackhawk_hawkscan-action.model.yml rename to ql/lib/ext/manual/stackhawk_hawkscan-action.model.yml diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/manual/step-security_harden-runner.model.yml similarity index 100% rename from ql/lib/ext/step-security_harden-runner.model.yml rename to ql/lib/ext/manual/step-security_harden-runner.model.yml diff --git a/ql/lib/ext/suisei-cn_actions-download-file.model.yml b/ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml similarity index 100% rename from ql/lib/ext/suisei-cn_actions-download-file.model.yml rename to ql/lib/ext/manual/suisei-cn_actions-download-file.model.yml diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/manual/tibdex_backport.model.yml similarity index 100% rename from ql/lib/ext/tibdex_backport.model.yml rename to ql/lib/ext/manual/tibdex_backport.model.yml diff --git a/ql/lib/ext/timheuer_base64-to-file.model.yml b/ql/lib/ext/manual/timheuer_base64-to-file.model.yml similarity index 100% rename from ql/lib/ext/timheuer_base64-to-file.model.yml rename to ql/lib/ext/manual/timheuer_base64-to-file.model.yml diff --git a/ql/lib/ext/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml similarity index 100% rename from ql/lib/ext/tj-actions_branch-names.model.yml rename to ql/lib/ext/manual/tj-actions_branch-names.model.yml diff --git a/ql/lib/ext/trilom_file-changes-action.model.yml b/ql/lib/ext/manual/trilom_file-changes-action.model.yml similarity index 100% rename from ql/lib/ext/trilom_file-changes-action.model.yml rename to ql/lib/ext/manual/trilom_file-changes-action.model.yml diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml similarity index 100% rename from ql/lib/ext/tripss_conventional-changelog-action.model.yml rename to ql/lib/ext/manual/tripss_conventional-changelog-action.model.yml diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml similarity index 100% rename from ql/lib/ext/tryghost_action-deploy-theme.model.yml rename to ql/lib/ext/manual/tryghost_action-deploy-theme.model.yml diff --git a/ql/lib/ext/tzkhan_pr-update-action.model.yml b/ql/lib/ext/manual/tzkhan_pr-update-action.model.yml similarity index 100% rename from ql/lib/ext/tzkhan_pr-update-action.model.yml rename to ql/lib/ext/manual/tzkhan_pr-update-action.model.yml diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/manual/veracode_veracode-sca.model.yml similarity index 100% rename from ql/lib/ext/veracode_veracode-sca.model.yml rename to ql/lib/ext/manual/veracode_veracode-sca.model.yml diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/manual/wearerequired_lint-action.model.yml similarity index 100% rename from ql/lib/ext/wearerequired_lint-action.model.yml rename to ql/lib/ext/manual/wearerequired_lint-action.model.yml diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/manual/webfactory_ssh-agent.model.yml similarity index 100% rename from ql/lib/ext/webfactory_ssh-agent.model.yml rename to ql/lib/ext/manual/webfactory_ssh-agent.model.yml diff --git a/ql/lib/ext/xt0rted_slash-command-action.model.yml b/ql/lib/ext/manual/xt0rted_slash-command-action.model.yml similarity index 100% rename from ql/lib/ext/xt0rted_slash-command-action.model.yml rename to ql/lib/ext/manual/xt0rted_slash-command-action.model.yml diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/manual/zaproxy_action-baseline.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-baseline.model.yml rename to ql/lib/ext/manual/zaproxy_action-baseline.model.yml diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/manual/zaproxy_action-full-scan.model.yml similarity index 100% rename from ql/lib/ext/zaproxy_action-full-scan.model.yml rename to ql/lib/ext/manual/zaproxy_action-full-scan.model.yml diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index abc56e6a090..aece8aacc5f 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -11,6 +11,6 @@ dependencies: extractor: javascript groups: javascript dataExtensions: - - ext/*.model.yml - - ext/**/*.model.yml - - ext/workflow-models/workflow-models.yml + - ext/manual/*.model.yml + - ext/generated/**/*.model.yml + - ext/config/*.yml diff --git a/ql/test/library-tests/workflowenum.ql b/ql/test/library-tests/workflowenum.ql index b3dc9185ec4..a4d4eb43bb2 100644 --- a/ql/test/library-tests/workflowenum.ql +++ b/ql/test/library-tests/workflowenum.ql @@ -1,5 +1,5 @@ import actions -import codeql.actions.dataflow.internal.ExternalFlowExtensions as Extensions +import codeql.actions.config.ConfigExtensions as Extensions from string path, string trigger, string job, string secrets_source, string permissions,