mirror of
https://github.com/github/codeql.git
synced 2026-06-25 14:47:04 +02:00
4b8cb3ffac
The previous fix required all outermost callers of a reusable workflow to be protected, which collapsed distinct safe/unsafe inner paths that share the same outermost caller. Track protection per caller chain instead: a node inside a reusable workflow is only considered protected if there is no unprotected caller path up to an outer workflow. Adds a branching nested regression test where one inner job is protected by a permission check and a sibling inner job is not. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>