Skip to content

Commit a6dba9e

Browse files
murderteethmurderteeth
authored
Merge branch 'main' into js/vercel-node-framework
2 parents f15d53f + 0daefb7 commit a6dba9e

597 files changed

Lines changed: 117068 additions & 75967 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

actions/ql/lib/CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,13 @@
1+
## 0.4.34
2+
3+
### Minor Analysis Improvements
4+
5+
* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
6+
7+
## 0.4.33
8+
9+
No user-facing changes.
10+
111
## 0.4.32
212

313
No user-facing changes.

actions/ql/lib/change-notes/released/0.4.33.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
## 0.4.33
2+
3+
No user-facing changes.

actions/ql/lib/change-notes/released/0.4.34.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
## 0.4.34
2+
3+
### Minor Analysis Improvements
4+
5+
* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.

actions/ql/lib/codeql-pack.release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.4.32
2+
lastReleaseVersion: 0.4.34

actions/ql/lib/ext/manual/docker_build-push-action.model.yml

Lines changed: 0 additions & 6 deletions
This file was deleted.

actions/ql/lib/ext/manual/step-security_harden-runner.model.yml

Lines changed: 0 additions & 6 deletions
This file was deleted.

actions/ql/lib/qlpack.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/actions-all
2-
version: 0.4.33-dev
2+
version: 0.4.35-dev
33
library: true
44
warnOnImplicitThis: true
55
dependencies:

actions/ql/src/CHANGELOG.md

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,17 @@
1+
## 0.6.26
2+
3+
### Major Analysis Improvements
4+
5+
* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
6+
7+
### Minor Analysis Improvements
8+
9+
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
10+
11+
## 0.6.25
12+
13+
No user-facing changes.
14+
115
## 0.6.24
216

317
No user-facing changes.
@@ -159,7 +173,7 @@ No user-facing changes.
159173
* `actions/if-expression-always-true/critical`
160174
* `actions/if-expression-always-true/high`
161175
* `actions/unnecessary-use-of-advanced-config`
162-
176+
163177
* The following query has been moved from the `code-scanning` suite to the `security-extended`
164178
suite. Any existing alerts for this query will be closed automatically unless the analysis is
165179
configured to use the `security-extended` suite.

actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md

Lines changed: 0 additions & 4 deletions
This file was deleted.

actions/ql/src/change-notes/2026-04-02-permissions.md

Lines changed: 0 additions & 4 deletions
This file was deleted.

0 commit comments

Comments
 (0)