Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Actions] Unpinned actions in same organization or same enterprise incorrectly trigger actions/unpinned-tag #18316

Open
ebickle opened this issue Dec 18, 2024 · 0 comments
Open

[Actions] Unpinned actions in same organization or same enterprise incorrectly trigger actions/unpinned-tag #18316

ebickle opened this issue Dec 18, 2024 · 0 comments
Labels
false-positive

Comments

@ebickle
Copy link
Contributor

ebickle commented Dec 18, 2024
edited
Loading

Description of the false positive

The CodeQL rule actions/unpinned-tag (Unpinned tag for a non-immutable Action in workflow) triggers for actions in the same organization or the same enterprise.

The description for the rule states "Unpinned 3rd party Action", which in our case triggered for an action in the same organization. Actions within the same owner, org, or enterprise are not 3rd party actions or untrusted.

Code samples or links to source code

The issue can be reproduced by:

  1. Create the repository sample-actions in the same org (or enterprise)
  2. Add an action to the sample-actions repository and tag the commit as `v1.
  3. In a different repository, add a workflow that references the new action: 
    - uses: same-org/sample-actions@v1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ebickle