Adds support for multiple versions of external actions and workflows#21835
Open
jessehouwing wants to merge 2 commits into
Open
Adds support for multiple versions of external actions and workflows#21835jessehouwing wants to merge 2 commits into
jessehouwing wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds SHA-based mapping support for resolving external GitHub Actions and callable workflows referenced via uses:, enabling multiple versions/refs of the same external dependency to be stored and analyzed deterministically.
Changes:
- Introduces
.github/*/external/mapping.yaml-driven resolution via a newMappingHelpermodule and updates call target resolution to incorporateusesversions/refs. - Extends Actions dataflow APIs (for example, exposing the called version/ref) and refines step/job resolution used by the CWE-349 queries.
- Adds new regression tests + fixtures for mapping resolution (including sub-path and legacy layouts) and updates extractor path filters to include the new mapping files.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected | Updates expected edge outputs to reflect external composite-action step resolution. |
| actions/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected | Updates expected results/edges for CWE-349 with new external-action traversal behavior. |
| actions/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache7.yml | Adds a workflow test case that exercises cache poisoning through an external composite action. |
| actions/ql/test/query-tests/Security/CWE-349/.github/actions/external/TestOrg/CacheAction/sha123abc/action.yml | Adds an external composite action fixture (SHA-directory layout). |
| actions/ql/test/query-tests/Security/CWE-349/.github/actions/external/mapping.yaml | Adds mapping from owner/repo@ref to sha for CWE-349 query test fixtures. |
| actions/ql/test/library-tests/mapping-resolution/mapping-resolution.ql | Adds a library test query to enumerate mappings and resolved call targets. |
| actions/ql/test/library-tests/mapping-resolution/mapping-resolution.expected | Adds expected outputs for mapping entries, discovered composite actions, and resolved calls. |
| actions/ql/test/library-tests/mapping-resolution/.github/workflows/test.yml | Adds workflow fixtures that call external actions at multiple refs (including sub-path and legacy). |
| actions/ql/test/library-tests/mapping-resolution/.github/actions/external/TestOrg/TestAction/def789abc012/action.yml | Adds external composite action fixture for a second version/ref. |
| actions/ql/test/library-tests/mapping-resolution/.github/actions/external/TestOrg/TestAction/abc123def456/action.yml | Adds external composite action fixture for the first version/ref. |
| actions/ql/test/library-tests/mapping-resolution/.github/actions/external/TestOrg/TestAction-Sub/fedcba987654/sub-action/action.yml | Adds an external composite action fixture stored at a sub-path. |
| actions/ql/test/library-tests/mapping-resolution/.github/actions/external/mapping.yaml | Adds library-test mapping entries from refs to SHAs. |
| actions/ql/test/library-tests/mapping-resolution/.github/actions/external/LegacyOrg/LegacyAction/action.yml | Adds a legacy external action fixture without SHA directory for backward-compat coverage. |
| actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql | Adjusts CWE-349 query logic to account for steps inside composite actions. |
| actions/ql/lib/codeql/actions/MappingHelper.qll | Introduces predicates to read SHA mappings for external actions and workflows. |
| actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll | Updates internal resolution logic to incorporate version/ref-based mapping resolution. |
| actions/extractor/tools/autobuild.sh | Updates default path filters to include the new external mapping files. |
| actions/extractor/tools/autobuild-impl.ps1 | Updates PowerShell path filters to include the new external mapping files. |
Comment on lines
+7
to
+10
| - uses: actions/cache@v4 | ||
| with: | ||
| path: ./poison | ||
| key: poison-cache-key |
Comment on lines
+11
to
+13
| - shell: bash | ||
| run: | | ||
| echo "${{ inputs.message }}" |
Comment on lines
+11
to
+13
| - shell: bash | ||
| run: | | ||
| echo "v2: ${{ inputs.message }}" |
Comment on lines
+11
to
+13
| - shell: bash | ||
| run: | | ||
| echo "Restoring ${{ inputs.path }}" |
Comment on lines
+7
to
+8
| - shell: bash | ||
| run: echo "Legacy action without SHA-based resolution" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #21834
Could be used with an action similar to: jessehouwing/codeql-remote-actions-extractor
This pull request introduces support for resolving external GitHub Actions and workflows using SHA-based mapping files, enabling more robust and precise resolution of external composite actions and workflows referenced by
uses:steps. The core logic is implemented in a newMappingHelperQL module, and the change is validated with new tests and updates to path filters and expected outputs.External Action and Workflow Resolution Improvements
MappingHelper.qllwith predicatesexternalActionRefMappingandexternalWorkflowRefMappingto resolve external action and workflow references via SHA-based mapping files located at.github/actions/external/mapping.yamland.github/workflows/external/mapping.yaml.viableCallablepredicate to use these mappings for resolving external composite actions and workflows, supporting both direct and sub-path references, and maintaining backward compatibility for legacy actions.Dataflow and API Enhancements
getVersion()method toDataFlowCallfor accessing the version/ref of the called action or workflow.nodeGetEnclosingCallablefunction for more precise resolution.Infrastructure and Path Filter Updates
autobuild.shandautobuild-impl.ps1to include the new mapping files, ensuring they are picked up by automation and analysis tools [1] [2].Testing and Validation
library-tests/mapping-resolutionto cover various action resolution scenarios, including sub-paths and legacy actions [1] [2] [3] [4] [5] [6] [7] [8].These changes collectively enable more accurate and secure resolution of external actions and workflows in GitHub Actions analysis, with robust test coverage and compatibility with existing workflows.