You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CodeQL rule actions/unpinned-tag (Unpinned tag for a non-immutable Action in workflow) triggers for actions in the same organization or the same enterprise.
The description for the rule states "Unpinned 3rd party Action", which in our case triggered for an action in the same organization. Actions within the same owner, org, or enterprise are not 3rd party actions or untrusted.
Code samples or links to source code
The issue can be reproduced by:
Create the repository sample-actions in the same org (or enterprise)
Add an action to the sample-actions repository and tag the commit as `v1.
In a different repository, add a workflow that references the new action:
- uses: same-org/sample-actions@v1
The text was updated successfully, but these errors were encountered:
As far as I know, CodeQL rules only look at the code - not the operating environment - so fixing this could be tricky. One idea I had is that the rule could be modified to only apply to actions in a 'public' repository. That way the rule would only need to look at public information on GitHub without any need to authenticate with an enterprise or organization.
If you can figure out how to parametrize your own organization, you could copy that query, modify it to allow your org, exclude the original, and use your modified copy instead?
Description of the false positive
The CodeQL rule
actions/unpinned-tag
(Unpinned tag for a non-immutable Action in workflow) triggers for actions in the same organization or the same enterprise.The description for the rule states "Unpinned 3rd party Action", which in our case triggered for an action in the same organization. Actions within the same owner, org, or enterprise are not 3rd party actions or untrusted.
Code samples or links to source code
The issue can be reproduced by:
sample-actions
in the same org (or enterprise)sample-actions
repository and tag the commit as `v1.The text was updated successfully, but these errors were encountered: