Merge pull request #21692 from github/copilot/update-codeql-query-for-composite-actions

oscarsj · web-flow · commit 8a199f963d59 · 2026-05-18T12:17:13.000+02:00
Extend `actions/unpinned-tag` to analyze composite action metadata (`action.yml` / `action.yaml`)
diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -1,5 +1,5 @@
 /**
- * @name Unpinned tag for a non-immutable Action in workflow
+ * @name Unpinned tag for a non-immutable Action in workflow or composite action
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
@@ -31,15 +31,26 @@ private predicate isPinnedContainer(string version) {
 bindingset[nwo]
 private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
 
-from UsesStep uses, string nwo, string version, Workflow workflow, string name
+private predicate getStepContainerName(UsesStep uses, string name) {
+  exists(Workflow workflow |
+    uses.getEnclosingWorkflow() = workflow and
+    (
+      workflow.getName() = name
+      or
+      not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
+    )
+  )
+  or
+  exists(CompositeAction action |
+    uses.getEnclosingCompositeAction() = action and
+    name = action.getLocation().getFile().getBaseName()
+  )
+}
+
+from UsesStep uses, string nwo, string version, string name
 where
   uses.getCallee() = nwo and
-  uses.getEnclosingWorkflow() = workflow and
-  (
-    workflow.getName() = name
-    or
-    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
-  ) and
+  getStepContainerName(uses, name) and
   uses.getVersion() = version and
   not isTrustedOwner(nwo) and
   not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
diff --git a/actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md b/actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
diff --git a/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml b/actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml
@@ -0,0 +1,6 @@
+name: Composite unpinned tag test
+runs:
+  using: "composite"
+  steps:
+    - uses: foo/bar@v2
+    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
@@ -1,3 +1,4 @@
+| .github/actions/unpinned-tag/action.yml:5:13:5:22 | foo/bar@v2 | Unpinned 3rd party Action 'action.yml' step $@ uses 'foo/bar' with ref 'v2', not a pinned commit hash | .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step |
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -8,6 +8,7 @@ edges
 | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
+| .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | .github/actions/unpinned-tag/action.yml:6:7:6:61 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+\| .github/actions/unpinned-tag/action.yml:5:13:5:22 \| foo/bar@v2 \| Unpinned 3rd party Action 'action.yml' step $@ uses 'foo/bar' with ref 'v2', not a pinned commit hash \| .github/actions/unpinned-tag/action.yml:5:7:6:4 \| Uses Step \| Uses Step \|`
`1`	`2`	`\| .github/workflows/actor_trusted_checkout.yml:19:13:19:36 \| completely/fakeaction@v2 \| Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash \| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 \| Uses Step \| Uses Step \|`
`2`	`3`	`\| .github/workflows/actor_trusted_checkout.yml:23:13:23:37 \| fakerepo/comment-on-pr@v1 \| Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash \| .github/workflows/actor_trusted_checkout.yml:23:7:26:21 \| Uses Step \| Uses Step \|`
`3`	`4`	`\| .github/workflows/artifactpoisoning21.yml:13:15:13:49 \| dawidd6/action-download-artifact@v2 \| Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash \| .github/workflows/artifactpoisoning21.yml:13:9:18:6 \| Uses Step \| Uses Step \|`