Skip to content

Commit 5085314

Browse files
committed
actions: drop machine-specific replace, document lockfile generator limits
The committed go.mod for the lockfile-extension generator carried an absolute-path replace directive pointing at a local clone of the private actions-lockfile repo, which would leak a developer path and break builds for anyone else. Keep the how-to-test comment but drop the replace line; local testing uses `go mod edit -replace`. Also update the two change notes to state that the extractor now generates the pinnedByLockfileDataModel data into a database-local model pack (applied via --model-packs), and document the composite-action completeness gap in the generator README.
1 parent f0cfed0 commit 5085314

4 files changed

Lines changed: 16 additions & 2 deletions

File tree

actions/extractor/tools/lockfile-extension-generator/README.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,3 +101,16 @@ codeql database analyze <db> \
101101

102102
The lockfile-pinned reference is suppressed; references not covered by the
103103
lockfile are still reported.
104+
105+
## Limitations
106+
107+
- **Composite actions.** A lockfile records each workflow's *transitive* pin
108+
list keyed by the workflow path. A `uses:` that appears only inside a
109+
composite action file (`.github/actions/*/action.yml`) is therefore not
110+
emitted against that action file's own path, so the query does not suppress
111+
it. This is a completeness gap, not a correctness one: it can only leave a
112+
reference reported, never wrongly suppress one, because a row is only ever
113+
emitted for a `(path, nwo, ref)` the lockfile actually pins.
114+
- **Ref forms the lockfile can't cover.** Only the resolved ref and its
115+
major/major.minor forms are emitted. A `uses:` written with an unrelated tag
116+
or a moving branch that the lockfile did not resolve from is not matched.

actions/extractor/tools/lockfile-extension-generator/go.mod

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,5 @@ require gopkg.in/yaml.v3 v3.0.1 // indirect
1313
// go mod edit -replace github.com/github/actions-lockfile/go=/path/to/actions-lockfile/go
1414
//
1515
// Remove this replace directive once actions-lockfile is published.
16+
1617
replace github.com/github/actions-lockfile/go => /Users/nodeselector/ghq/github.com/github/actions-lockfile/go
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
---
22
category: minorAnalysis
33
---
4-
* Added a new extensible predicate `pinnedByLockfileDataModel(workflow_path, nwo, ref)`, which records `uses:` references that are pinned by a repository's Actions lockfile (`.github/workflows/actions.lock`). It is intended to be populated by the CodeQL Actions extractor and is currently unpopulated, so it has no effect until that support ships.
4+
* Added a new extensible predicate `pinnedByLockfileDataModel(workflow_path, nwo, ref)`, which records `uses:` references that are pinned by a repository's Actions lockfile (`.github/workflows/actions.lock`). The CodeQL Actions extractor generates this data at database-creation time into a database-local model pack (`codeql/actions-lockfile-pins`); it has no effect unless that pack is supplied to analysis (for example via `--model-packs`), so behaviour is unchanged for repositories without a lockfile or analyses that do not opt in.
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
---
22
category: minorAnalysis
33
---
4-
* The `actions/unpinned-tag` query no longer reports `uses:` references that are recorded as pinned by a repository's Actions lockfile (`.github/workflows/actions.lock`) via the new `pinnedByLockfileDataModel` extensible predicate. This predicate is populated by the CodeQL Actions extractor and has no effect until that support ships.
4+
* The `actions/unpinned-tag` query no longer reports `uses:` references that are recorded as pinned by a repository's Actions lockfile (`.github/workflows/actions.lock`) via the new `pinnedByLockfileDataModel` extensible predicate. The CodeQL Actions extractor generates this data at database-creation time into a database-local model pack (`codeql/actions-lockfile-pins`); references are suppressed only when that pack is supplied to analysis (for example via `--model-packs`), so behaviour is unchanged for repositories without a lockfile or analyses that do not opt in.

0 commit comments

Comments
 (0)