Skip to content

Correct query metadata for actions/untrusted-checkout/medium#21946

Open
henrymercer wants to merge 1 commit into
rc/3.22from
henrymercer/actions-tweak-query-name
Open

Correct query metadata for actions/untrusted-checkout/medium#21946
henrymercer wants to merge 1 commit into
rc/3.22from
henrymercer/actions-tweak-query-name

Conversation

@henrymercer
Copy link
Copy Markdown
Contributor

@henrymercer henrymercer commented Jun 4, 2026

Quick PR addressing some feedback from the 2.25.6 release. In particular, the medium severity actions/untrusted-checkout/medium query only includes unprivileged contexts, so this PR updates its name, description, and message accordingly.

@henrymercer henrymercer requested review from knewbury01 and owen-mc June 4, 2026 17:21
@henrymercer henrymercer requested a review from a team as a code owner June 4, 2026 17:21
Copilot AI review requested due to automatic review settings June 4, 2026 17:21
@github-actions github-actions Bot added documentation Actions Analysis of GitHub Actions labels Jun 4, 2026
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the actions/untrusted-checkout/medium query metadata (name/description/message) so it correctly describes detection in unprivileged workflow contexts, and updates the associated test expectations and change notes.

Changes:

  • Adjusted actions/untrusted-checkout/medium query metadata and alert message to refer to unprivileged workflows/contexts.
  • Renamed the helper predicate from inNonPrivilegedContext to inUnprivilegedContext.
  • Added a change note entry and updated the .expected test output accordingly.
Show a summary per file
File Description
actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected Updates expected test output to match the revised alert message text.
actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql Updates query metadata text and switches to inUnprivilegedContext + updated message string.
actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md Adds a change note documenting the query metadata correction.
actions/ql/lib/codeql/actions/Helper.qll Renames the helper predicate used to detect unprivileged contexts.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 2

Comment thread actions/ql/lib/codeql/actions/Helper.qll Outdated
Comment thread actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql Outdated
@henrymercer henrymercer force-pushed the henrymercer/actions-tweak-query-name branch from 9929cb5 to 2bf3faa Compare June 4, 2026 17:27
@henrymercer henrymercer changed the base branch from main to rc/3.22 June 4, 2026 17:28
@henrymercer henrymercer marked this pull request as draft June 4, 2026 17:32
@henrymercer henrymercer force-pushed the henrymercer/actions-tweak-query-name branch from 2bf3faa to f4dc86e Compare June 4, 2026 18:12
@henrymercer henrymercer marked this pull request as ready for review June 4, 2026 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@knewbury01 knewbury01 Awaiting requested review from knewbury01

@owen-mc owen-mc Awaiting requested review from owen-mc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@henrymercer