github-actions[bot]
456e33773b
Post-release preparation for codeql-cli-2.26.0
2026-06-25 16:24:06 +00:00
github-actions[bot]
237c5639e2
Release preparation for version 2.26.0
2026-06-25 15:27:00 +00:00
Paolo Tranquilli
b67644c127
Merge pull request #21986 from JarLob/userpermissions
...
Actions: Fix dominates() false positive in reusable workflows
2026-06-25 14:44:17 +02:00
Jaroslav Lobačevski
7fc4b4856e
Fix formatting
2026-06-24 17:17:16 +00:00
Paolo Tranquilli
4b8cb3ffac
Fix false negative for branching nested reusable workflows
...
The previous fix required all outermost callers of a reusable workflow to
be protected, which collapsed distinct safe/unsafe inner paths that share
the same outermost caller. Track protection per caller chain instead: a
node inside a reusable workflow is only considered protected if there is
no unprotected caller path up to an outer workflow.
Adds a branching nested regression test where one inner job is protected
by a permission check and a sibling inner job is not.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com >
2026-06-24 18:22:01 +02:00
Jaroslav Lobačevski
31f6e713c5
Fix "The variable event is only used in one side of disjunct."
2026-06-23 12:06:01 +00:00
Jaroslav Lobačevski
e2347a5c7d
Fix for independent checks
2026-06-23 11:52:11 +00:00
Jaroslav Lobačevski
7f16853715
Remove trailing white space
2026-06-18 12:11:18 +00:00
Jaroslav Lobačevski
2d6feb1255
Fix false negatives when one of the jobs had proper checks and the other didn't
2026-06-18 12:02:56 +00:00
Mathias Vorreiter Pedersen
c12cf88c52
Merge branch 'main' into add-yaml-comments
2026-06-17 10:17:06 +01:00
Jon Janego
72f34c2b3b
Merge pull request #21971 from github/mario-campos/fix-changenote-grammar
...
Fix changelog copy errors in change-notes and CHANGELOG.md files
2026-06-16 10:15:25 -05:00
Jaroslav Lobačevski
d51a9a3e1a
Support nested reusable workflows
2026-06-15 06:52:13 +00:00
Jaroslav Lobačevski
048884bb78
Remove redundant cast
2026-06-15 06:12:45 +00:00
Jaroslav Lobačevski
2eed6c1736
Fix dominates() false positive in reusable workflows
2026-06-15 05:42:59 +00:00
Jaroslav Lobačevski
bea5522473
rename change note
2026-06-12 07:52:34 +00:00
Jaroslav Lobačevski
eedef515f7
Updated regex. Added test and change note.
2026-06-12 07:50:02 +00:00
Jaroslav Lobačevski
9078b511c6
Update regex for GitHub hosted runner matching
...
Fixes false positives (of critical severity). New label naming conventions were introduced since the query was initially written.
2026-06-12 09:37:18 +03:00
copilot-swe-agent[bot]
838d06c53f
Fix changelog copy errors in change-notes and CHANGELOG.md files (codeql-cli-2.25.6)
2026-06-11 22:45:33 +02:00
Mathias Vorreiter Pedersen
b6521e7c0e
Actions: Support YAML comments.
2026-06-04 17:54:46 +01:00
github-actions[bot]
cfb18c2477
Post-release preparation for codeql-cli-2.25.6
2026-05-29 12:04:35 +00:00
github-actions[bot]
8b6f969cdb
Release preparation for version 2.25.6
2026-05-29 11:27:54 +00:00
Henry Mercer
9bc0c1b1ab
Revert "Release preparation for version 2.25.6"
2026-05-29 12:13:50 +01:00
github-actions[bot]
44a914e40f
Release preparation for version 2.25.6
2026-05-25 10:23:26 +00:00
Óscar San José
996e79131e
Merge branch 'main' into post-release-prep/codeql-cli-2.25.5
2026-05-22 16:32:30 +02:00
github-actions[bot]
9f64000962
Post-release preparation for codeql-cli-2.25.5
2026-05-18 15:20:31 +00:00
github-actions[bot]
e38616a2ef
Release preparation for version 2.25.5
2026-05-18 12:05:32 +00:00
Owen Mansel-Chan
b49b8ff6bd
Give slightly more detail in change note
2026-05-13 13:47:53 +01:00
Owen Mansel-Chan
ea29986c4f
Fix non-US english by using "parentheses" instead of "brackets"
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
2026-05-12 22:40:03 +01:00
Owen Mansel-Chan
f58268064e
Add change note for alphanumeric regex change
2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
562f415f64
Tidy Bash alphaNumericRegex comment spacing
2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
0620d348b2
Update Bash alphaNumericRegex to match grouped quantified forms
2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
ef1bde7565
Widen pinned SHA regex to support SHA-256 (64-char hex) and add tests
2026-05-12 22:40:03 +01:00
Paolo Tranquilli
f9e42ac443
Merge pull request #21794 from github/post-release-prep/codeql-cli-2.25.4
...
Post-release preparation for codeql-cli-2.25.4
2026-05-07 14:43:24 +02:00
Owen Mansel-Chan
e6f587e761
Merge pull request #21715 from knewbury01/knewbury01/adjust-actions-queries-untrusted-checkout
...
Improve actions/ql/src/Security/CWE-829/UntrustedCheckoutX queries
2026-05-06 11:52:30 +01:00
github-actions[bot]
7610277199
Post-release preparation for codeql-cli-2.25.4
2026-05-05 10:10:06 +00:00
github-actions[bot]
88e1d86c27
Release preparation for version 2.25.4
2026-05-05 09:34:30 +00:00
Kristen Newbury
39b6cf9468
Address review comments
2026-05-04 16:47:44 -04:00
Kristen Newbury
b0bc0fdd61
Adjust changenotes actions queries
2026-04-30 12:28:06 -04:00
github-actions[bot]
a0bab539bb
Post-release preparation for codeql-cli-2.25.3
2026-04-20 12:40:34 +00:00
github-actions[bot]
c861d99802
Release preparation for version 2.25.3
2026-04-20 09:27:23 +00:00
Paolo Tranquilli
5342cc79fb
Merge pull request #21574 from github/redsun82/actions/remove-harden-runner-false-positive
...
Remove false positive injection sink models for `docker/build-push-action` and `step-security/harden-runner`
2026-04-17 09:43:45 +02:00
Kristen Newbury
589e1e5c19
Update actions/ql/lib/ext/config/poisonable_steps.yml
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-04-15 16:27:06 -04:00
Kristen Newbury
c9e5dbda78
Update actions/ql/lib/ext/config/poisonable_steps.yml
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-04-15 16:26:38 -04:00
Kristen Newbury
1233d81523
Improve actions/ql/src/Security/CWE-829/UntrustedCheckoutX queries
2026-04-15 14:11:17 -04:00
github-actions[bot]
242090e0ac
Post-release preparation for codeql-cli-2.25.2
2026-04-06 13:49:20 +00:00
github-actions[bot]
4fe2f6d2b4
Release preparation for version 2.25.2
2026-04-06 10:30:38 +00:00
github-actions[bot]
ce6e6d5db3
Post-release preparation for codeql-cli-2.25.1
2026-03-30 08:43:48 +00:00
Paolo Tranquilli
e0bc18c228
Add changenote for false positive sink model removals
2026-03-26 09:19:34 +01:00
Paolo Tranquilli
e807545591
Remove false positive docker/build-push-action context sink model
...
The `context` input is passed as a single array element through
`docker/actions-toolkit` and `@actions/exec` all the way to
`child_process.spawn()`, which does not perform shell splitting.
No code injection is possible.
Fixes https://github.com/github/codeql/issues/21428
2026-03-26 09:08:34 +01:00
github-actions[bot]
fb011842c9
Release preparation for version 2.25.1
2026-03-25 23:43:06 +00:00