From 78b7399693c29523e560cb34773641ca1de3e228 Mon Sep 17 00:00:00 2001
From: Tiago Pascoal <tspascoal@github.com>
Date: Mon, 6 Apr 2026 21:32:26 +0100
Subject: [PATCH 1/4] Actions: Add workflow_dispatch and workflow_call input
 sources for code injection

Model workflow_dispatch string inputs and workflow_call string inputs as
remote flow sources. Add a new low-severity CodeInjection query for
workflow_call inputs.

The low severity CodeInjection query is explicitily added to the security-extended suite
---
 .../codeql/actions/dataflow/FlowSources.qll   |  67 ++
 .../actions/security/CodeInjectionQuery.qll   |  26 +
 .../src/Security/CWE-094/CodeInjectionLow.md  |  66 ++
 .../src/Security/CWE-094/CodeInjectionLow.ql  |  25 +
 .../Security/CWE-094/CodeInjectionMedium.md   |  40 +
 .../actions-security-extended.qls             |   3 +
 .../Models/ReusableWorkflowsSources.expected  |  10 +
 .../.github/workflows/workflow_call.yml       |  47 ++
 .../.github/workflows/workflow_dispatch.yml   |  58 ++
 .../CWE-094/CodeInjectionCritical.expected    |   9 +
 .../CWE-094/CodeInjectionLow.expected         | 708 ++++++++++++++++++
 .../Security/CWE-094/CodeInjectionLow.qlref   |   1 +
 .../CWE-094/CodeInjectionMedium.expected      |   8 +
 13 files changed, 1068 insertions(+)
 create mode 100644 actions/ql/src/Security/CWE-094/CodeInjectionLow.md
 create mode 100644 actions/ql/src/Security/CWE-094/CodeInjectionLow.ql
 create mode 100644 actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml
 create mode 100644 actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_dispatch.yml
 create mode 100644 actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected
 create mode 100644 actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref

diff --git a/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
index 18cc4322c81b..4a136bd20363 100644
--- a/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
+++ b/actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -2,6 +2,8 @@ private import codeql.actions.security.ArtifactPoisoningQuery
 private import codeql.actions.security.UntrustedCheckoutQuery
 private import codeql.actions.config.Config
 private import codeql.actions.dataflow.ExternalFlow
+private import codeql.actions.ast.internal.Ast
+private import codeql.actions.ast.internal.Yaml
 
 /**
  * A data flow source.
@@ -363,3 +365,68 @@ class OctokitRequestActionSource extends RemoteFlowSource {
 
   override string getEventName() { result = this.asExpr().getATriggerEvent().getName() }
 }
+
+/**
+ * A workflow_dispatch input of type string used in an expression.
+ * Inputs with type string (or no explicit type, which defaults to string)
+ * are considered untrusted since they can be controlled by any user
+ * who can trigger the workflow (write access to the repository)
+ */
+class WorkflowDispatchInputSource extends RemoteFlowSource {
+  WorkflowDispatchInputSource() {
+    exists(InputsExpression e, Event event, string inputName |
+      this.asExpr() = e and
+      inputName = e.getFieldName() and
+      event = e.getATriggerEvent() and
+      event.getName() = "workflow_dispatch" and
+      exists(YamlMapping eventMapping, YamlMapping inputsMapping |
+        eventMapping = event.(EventImpl).getValueNode() and
+        inputsMapping = eventMapping.lookup("inputs") and
+        exists(YamlMapping inputMapping |
+          inputMapping = inputsMapping.lookup(inputName) and
+          (
+            // explicit type: string
+            inputMapping.lookup("type").(YamlScalar).getValue().toLowerCase() = "string"
+            or
+            // no explicit type (defaults to string in GitHub Actions)
+            not exists(inputMapping.lookup("type"))
+          )
+        )
+      )
+    )
+  }
+
+  override string getSourceType() { result = "text" }
+
+  override string getEventName() { result = "workflow_dispatch" }
+}
+
+/**
+ * A workflow_call input of type string used in an expression.
+ * Only string-typed inputs are considered vulnerable to code injection.
+ * This is lower risk since only workflow authors control the callers,
+ * but the inputs may still originate from untrusted user input in the
+ * calling workflow.
+ */
+class WorkflowCallInputSource extends RemoteFlowSource {
+  WorkflowCallInputSource() {
+    exists(InputsExpression e, ReusableWorkflowImpl w, string inputName |
+      this.asExpr() = e and
+      inputName = e.getFieldName() and
+      w = e.getEnclosingWorkflow() and
+      exists(YamlMapping inputsMapping, YamlMapping inputMapping |
+        inputsMapping = w.getInputs().getNode() and
+        inputMapping = inputsMapping.lookup(inputName) and
+        inputMapping.lookup("type").(YamlScalar).getValue().toLowerCase() = "string"
+      )
+    )
+  }
+
+  override string getSourceType() { result = "text" }
+
+  override string getEventName() {
+    result = this.asExpr().getATriggerEvent().getName()
+    or
+    not exists(this.asExpr().getATriggerEvent()) and result = "workflow_call"
+  }
+}
diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
index 3d5b8852b850..5edc7e9b71f1 100644
--- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -99,6 +99,16 @@ predicate criticalSeverityCodeInjection(
   source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 }
 
+/**
+ * Holds if the source is an input expression inside a reusable workflow (workflow_call).
+ */
+private predicate isWorkflowCallInput(DataFlow::Node source) {
+  exists(InputsExpression e |
+    source.asExpr() = e and
+    e.getEnclosingWorkflow() instanceof ReusableWorkflow
+  )
+}
+
 /**
  * Holds if there is a code injection flow from `source` to `sink` with medium severity.
  */
@@ -107,6 +117,22 @@ predicate mediumSeverityCodeInjection(
 ) {
   CodeInjectionFlow::flowPath(source, sink) and
   not criticalSeverityCodeInjection(source, sink, _) and
+  not isWorkflowCallInput(source.getNode()) and
+  not isGithubScriptUsingToJson(sink.getNode().asExpr())
+}
+
+/**
+ * Holds if there is a code injection flow from `source` to `sink` with low severity.
+ * This covers workflow_call inputs, which are lower risk since only users with
+ * write access control the callers, but the inputs may still originate from
+ * untrusted user input in the calling workflow.
+ */
+predicate lowSeverityCodeInjection(
+  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+) {
+  CodeInjectionFlow::flowPath(source, sink) and
+  source.getNode() instanceof WorkflowCallInputSource and
+  not criticalSeverityCodeInjection(source, sink, _) and
   not isGithubScriptUsingToJson(sink.getNode().asExpr())
 }
 
diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionLow.md b/actions/ql/src/Security/CWE-094/CodeInjectionLow.md
new file mode 100644
index 000000000000..1c63e68b3213
--- /dev/null
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionLow.md
@@ -0,0 +1,66 @@
+## Overview
+
+Using string-typed `workflow_call` inputs in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
+
+Inputs declared as `string` should be treated with caution. Although `workflow_call` can only be triggered by other workflows (not directly by external users), the calling workflow may pass untrusted user input as arguments. Since the reusable workflow author has no control over the callers, these inputs may still originate from untrusted data.
+
+Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token.
+
+## Recommendation
+
+The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
+
+It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
+
+## Example
+
+### Incorrect Usage
+
+The following example uses a `workflow_call` input directly in a _run:_ step, which allows code injection if the caller passes untrusted data:
+
+```yaml
+on:
+  workflow_call:
+    inputs:
+      title:
+        description: 'Title'
+        type: string
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo '${{ inputs.title }}'
+```
+
+### Correct Usage
+
+The following example safely uses a `workflow_call` input by passing it through an environment variable:
+
+```yaml
+on:
+  workflow_call:
+    inputs:
+      title:
+        description: 'Title'
+        type: string
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - env:
+          TITLE: ${{ inputs.title }}
+        run: |
+          echo "$TITLE"
+```
+
+## References
+
+- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).
+- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).
+- GitHub Docs: [Reusing workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows).
+- Common Weakness Enumeration: [CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html).
+- Common Weakness Enumeration: [CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')](https://cwe.mitre.org/data/definitions/95.html).
+- Common Weakness Enumeration: [CWE-116: Improper Encoding or Escaping of Output](https://cwe.mitre.org/data/definitions/116.html).
diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionLow.ql b/actions/ql/src/Security/CWE-094/CodeInjectionLow.ql
new file mode 100644
index 000000000000..a12ba0e66d55
--- /dev/null
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionLow.ql
@@ -0,0 +1,25 @@
+/**
+ * @name Code injection
+ * @description Using unsanitized workflow_call inputs as code allows a calling workflow to
+ *              pass untrusted user input, leading to code execution.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 3.0
+ * @precision low
+ * @id actions/code-injection/low
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import actions
+import codeql.actions.security.CodeInjectionQuery
+import CodeInjectionFlow::PathGraph
+
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+where lowSeverityCodeInjection(source, sink)
+select sink.getNode(), source, sink,
+  "Potential code injection in $@, which may be controlled by a calling workflow.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()
diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md
index 1c8c016dade8..fba8a990161b 100644
--- a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.md
@@ -2,6 +2,8 @@
 
 Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
 
+This includes inputs from events such as `issue_comment`, `pull_request`, and `workflow_dispatch`. In particular, `workflow_dispatch` inputs with type `string` (or no type, which defaults to `string`) are user-controlled and should be treated as untrusted. Note that `workflow_dispatch` can only be triggered by users with write permissions to the repository, so the risk is lower than for events like `issue_comment` which can be triggered by any user. Nevertheless, this is still a code injection vector and should be handled safely.
+
 Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
 
 ## Recommendation
@@ -27,6 +29,24 @@ jobs:
           echo '${{ github.event.comment.body }}'
 ```
 
+The following example uses a `workflow_dispatch` string input directly in a _run:_ step, which allows code injection:
+
+```yaml
+on:
+  workflow_dispatch:
+    inputs:
+      title:
+        description: 'Title'
+        type: string
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo '${{ inputs.title }}'
+```
+
 The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:
 
 ```yaml
@@ -57,6 +77,26 @@ jobs:
           echo "$BODY"
 ```
 
+The following example safely uses a `workflow_dispatch` input by passing it through an environment variable:
+
+```yaml
+on:
+  workflow_dispatch:
+    inputs:
+      title:
+        description: 'Title'
+        type: string
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - env:
+          TITLE: ${{ inputs.title }}
+        run: |
+          echo "$TITLE"
+```
+
 The following example uses `process.env` to read environment variables within JavaScript code.
 
 ```yaml
diff --git a/actions/ql/src/codeql-suites/actions-security-extended.qls b/actions/ql/src/codeql-suites/actions-security-extended.qls
index 79528a92e1a2..41226438375c 100644
--- a/actions/ql/src/codeql-suites/actions-security-extended.qls
+++ b/actions/ql/src/codeql-suites/actions-security-extended.qls
@@ -2,3 +2,6 @@
 - queries: .
 - apply: security-extended-selectors.yml
   from: codeql/suite-helpers
+# Explicitly include low-precision queries that are excluded by security-extended-selectors.yml.
+- include:
+    query path: Security/CWE-094/CodeInjectionLow.ql
diff --git a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
index c76034f74d46..5b2b00b111d1 100644
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
@@ -1,12 +1,22 @@
 edges
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance |  |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance |  |
+| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | provenance |  |
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance |  |
+| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | provenance |  |
+| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | provenance |  |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | provenance |  |
 nodes
+| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | semmle.label | jobs.job1.outputs.job-output1 |
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | semmle.label | jobs.job1.outputs.job-output2 |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | semmle.label | Job outputs node [job-output1] |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | semmle.label | Job outputs node [job-output2] |
+| .github/workflows/reusable_workflow.yml:22:21:22:57 | steps.step1.outputs.step-output | semmle.label | steps.step1.outputs.step-output |
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
+| .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
+| .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
 subpaths
 #select
+| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Source |
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml
new file mode 100644
index 000000000000..50301dd43da9
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml
@@ -0,0 +1,47 @@
+name: Code Injection via workflow_call
+
+on:
+  workflow_call:
+    inputs:
+      title:
+        description: "Title string input"
+        required: true
+        type: string
+      count:
+        description: "A number input"
+        required: false
+        type: number
+      flag:
+        description: "A boolean input"
+        required: false
+        type: boolean
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Vulnerable: string input used directly in run script
+      - name: vulnerable string input
+        run: |
+          echo "${{ inputs.title }}"
+
+      # Not vulnerable: number input (not a string type)
+      - name: safe number input
+        run: |
+          echo "${{ inputs.count }}"
+
+      # Not vulnerable: boolean input (not a string type)
+      - name: safe boolean input
+        run: |
+          echo "${{ inputs.flag }}"
+
+      # Not vulnerable: input passed safely through env var
+      - name: safe string input via env
+        run: |
+          echo "$title"
+        env:
+          title: ${{ inputs.title }}
diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_dispatch.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_dispatch.yml
new file mode 100644
index 000000000000..920ed7236bea
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_dispatch.yml
@@ -0,0 +1,58 @@
+name: Code Injection via workflow_dispatch
+
+on:
+  workflow_dispatch:
+    inputs:
+      title:
+        description: "Title for the issue"
+        required: true
+        type: string
+      body:
+        description: "Body with no explicit type (defaults to string)"
+        required: false
+      flag:
+        description: "A boolean input"
+        required: false
+        type: boolean
+      option:
+        description: "A choice input"
+        required: false
+        type: choice
+        options:
+          - "option1"
+          - "option2"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Vulnerable: string input used directly in run script
+      - name: vulnerable string input
+        run: |
+          echo "${{ inputs.title }}"
+
+      # Vulnerable: input with no explicit type (defaults to string) used directly
+      - name: vulnerable untyped input
+        run: |
+          echo "${{ inputs.body }}"
+
+      # Not vulnerable: string input passed safely through env var
+      - name: safe string input via env
+        run: |
+          echo "$title"
+        env:
+          title: ${{ inputs.title }}
+
+      # Not vulnerable: boolean input used directly
+      - name: safe boolean input
+        run: |
+          echo "${{ inputs.flag }}"
+
+      # Not vulnerable: choice input used directly
+      - name: safe choice input
+        run: |
+          echo "${{ inputs.option }}"
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
index 9bf7e9aa56db..660dd5c7e454 100644
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -651,6 +651,7 @@ nodes
 | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
 | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] |
 | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT |
+| .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | semmle.label | inputs.issue_number |
 | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] |
 | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
 | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
@@ -681,6 +682,11 @@ nodes
 | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
 | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\n |
 | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
+| .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message |
 | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email |
@@ -735,6 +741,7 @@ subpaths
 | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/discussion_comment.yml:1:5:1:22 | discussion_comment | discussion_comment |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
@@ -774,6 +781,7 @@ subpaths
 | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target |
 | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target |
 | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} | .github/workflows/pull_request_target.yml:1:5:1:23 | pull_request_target | pull_request_target |
+| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-2.yml:4:3:4:21 | pull_request_target | pull_request_target |
@@ -849,6 +857,7 @@ subpaths
 | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues |
 | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
 | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
+| .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | ${{ inputs.issue_number }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
 | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
 | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
 | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run |
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected
new file mode 100644
index 000000000000..c179a2106802
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected
@@ -0,0 +1,708 @@
+edges
+| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | provenance |  |
+| .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | provenance |  |
+| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | provenance |  |
+| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance |  |
+| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | provenance |  |
+| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | provenance |  |
+| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | provenance |  |
+| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | provenance |  |
+| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
+| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | provenance |  |
+| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance |  |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | provenance | Config |
+| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | provenance |  |
+| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(<pr)\necho "PR: ${tmp}"\necho "pr=${tmp}" >> $GITHUB_OUTPUT\n | provenance | Config |
+| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | provenance |  |
+| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(<pr)\necho "PR: ${tmp}"\necho "pr=${tmp}" >> $GITHUB_OUTPUT\n | .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance | Config |
+| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | provenance |  |
+| .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance | Config |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance | Config |
+| .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:16:14:28:57 | set -eou pipefail\npr_number=$(cat -e artifact.txt)\npr_number=${pr_number%?}\npr_length=${#pr_number}\nonly_numbers_re="^[0-9]+$"\nif ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then\n  echo "invalid PR number"\n  exit 1\nfi\necho "::set-output name=pr_number::$pr_number"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance | Config |
+| .github/workflows/artifactpoisoning7.yml:15:9:29:6 | Run Step: artifact [pr_number] | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | provenance |  |
+| .github/workflows/artifactpoisoning7.yml:16:14:28:57 | set -eou pipefail\npr_number=$(cat -e artifact.txt)\npr_number=${pr_number%?}\npr_length=${#pr_number}\nonly_numbers_re="^[0-9]+$"\nif ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then\n  echo "invalid PR number"\n  exit 1\nfi\necho "::set-output name=pr_number::$pr_number"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | .github/workflows/artifactpoisoning7.yml:15:9:29:6 | Run Step: artifact [pr_number] | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance | Config |
+| .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
+| .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | provenance |  |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | provenance |  |
+| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | provenance |  |
+| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | provenance |  |
+| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | provenance |  |
+| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | provenance |  |
+| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance |  |
+| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance |  |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | provenance |  |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance |  |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | provenance |  |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | provenance |  |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance |  |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance |  |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
+| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | provenance |  |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | provenance |  |
+| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | provenance |  |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | provenance |  |
+| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | provenance |  |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | provenance |  |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | provenance |  |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | provenance |  |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | provenance |  |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | provenance |  |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | provenance |  |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | provenance |  |
+| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | provenance |  |
+| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | provenance |  |
+| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance |  |
+| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance |  |
+| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | provenance |  |
+| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance |  |
+| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance |  |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | provenance |  |
+| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | provenance |  |
+| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | provenance |  |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | provenance |  |
+| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | provenance |  |
+| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance |  |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance |  |
+| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | provenance |  |
+| .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | provenance |  |
+| .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | provenance |  |
+| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | provenance |  |
+| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | provenance |  |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance |  |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance |  |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance |  |
+| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance |  |
+| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance |  |
+| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance |  |
+| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance |  |
+| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance |  |
+| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance |  |
+| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | provenance |  |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | provenance |  |
+| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | provenance |  |
+| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | provenance |  |
+| .github/workflows/test11.yml:22:9:30:6 | Uses Step | .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | provenance | Config |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | provenance |  |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | provenance |  |
+| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | provenance |  |
+| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | provenance |  |
+| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | provenance |  |
+| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | provenance |  |
+| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | provenance |  |
+| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | provenance |  |
+| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | provenance |  |
+| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | provenance |  |
+| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | provenance |  |
+| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | provenance |  |
+| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | provenance |  |
+| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | provenance |  |
+| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | provenance |  |
+| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | provenance |  |
+| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | provenance |  |
+| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance |  |
+| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance |  |
+| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance |  |
+| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance |  |
+| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance |  |
+| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | provenance | Config |
+| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | provenance | Config |
+| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance |  |
+| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance |  |
+| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance |  |
+| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance |  |
+| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance |  |
+| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance |  |
+| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | provenance |  |
+| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | provenance |  |
+| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance |  |
+| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance |  |
+| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance |  |
+| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance |  |
+| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance |  |
+| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance |  |
+| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance |  |
+| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance |  |
+| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance |  |
+| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance |  |
+| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance |  |
+| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance |  |
+| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance |  |
+| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance |  |
+| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance |  |
+| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance |  |
+| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance |  |
+| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance |  |
+| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance |  |
+| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance |  |
+| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance |  |
+| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance |  |
+| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance |  |
+| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance |  |
+| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance |  |
+| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance |  |
+| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance |  |
+| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance |  |
+| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance |  |
+| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance |  |
+| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance |  |
+| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance |  |
+| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance |  |
+| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance |  |
+| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance |  |
+| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance |  |
+| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance |  |
+| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance |  |
+| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance |  |
+| .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | provenance |  |
+| .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | provenance |  |
+| .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | provenance |  |
+| .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | provenance |  |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | provenance |  |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | provenance |  |
+| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
+| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance |  |
+| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance |  |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance |  |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance |  |
+| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance |  |
+| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance |  |
+| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance |  |
+| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
+| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance |  |
+| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance |  |
+| .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | provenance |  |
+| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
+| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
+| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
+| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | provenance |  |
+| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | provenance |  |
+| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | provenance |  |
+| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | provenance |  |
+| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | provenance |  |
+| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | provenance |  |
+| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | provenance |  |
+| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | provenance |  |
+| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | provenance |  |
+| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | provenance |  |
+| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | provenance |  |
+| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | provenance | Config |
+| .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | provenance |  |
+| .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | provenance |  |
+nodes
+| .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/actions/action4/action.yml:7:19:7:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/actions/action5/action.yml:4:3:4:7 | input taint | semmle.label | input taint |
+| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result2] | semmle.label | output Job outputs node [result2] |
+| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
+| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | semmle.label | steps.step.outputs.result |
+| .github/actions/action5/action.yml:14:13:14:46 | steps.step2.outputs.result2 | semmle.label | steps.step2.outputs.result2 |
+| .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/actions/action5/action.yml:20:7:26:4 | Run Step: step [result] | semmle.label | Run Step: step [result] |
+| .github/actions/action5/action.yml:23:15:23:33 | inputs.taint | semmle.label | inputs.taint |
+| .github/actions/action5/action.yml:26:7:31:4 | Run Step: step2 [result2] | semmle.label | Run Step: step2 [result2] |
+| .github/actions/action5/action.yml:28:16:28:45 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | semmle.label | inputs.taint |
+| .github/actions/action6/action.yml:216:25:216:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
+| .github/actions/action7/action.yml:77:15:77:36 | inputs.spelling | semmle.label | inputs.spelling |
+| .github/actions/action7/action.yml:214:41:214:69 | inputs.github_username | semmle.label | inputs.github_username |
+| .github/actions/action7/action.yml:215:41:215:66 | inputs.github_email | semmle.label | inputs.github_email |
+| .github/actions/action7/action.yml:217:25:217:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | semmle.label | input title |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
+| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
+| .github/actions/external/ultralytics/actions/action.yaml:66:3:66:6 | input body | semmle.label | input body |
+| .github/actions/external/ultralytics/actions/action.yaml:96:16:96:33 | inputs.body | semmle.label | inputs.body |
+| .github/actions/external/ultralytics/actions/action.yaml:223:25:223:60 | github.head_ref \|\| github.ref | semmle.label | github.head_ref \|\| github.ref |
+| .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
+| .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | semmle.label | env.ISSUE_TITLE |
+| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | semmle.label | Run Step: pr [id] |
+| .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | semmle.label | echo "::set-output name=id::$(<pr-id.txt)" |
+| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
+| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning3.yml:20:9:41:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning3.yml:41:9:53:6 | Run Step: prepare [pr] | semmle.label | Run Step: prepare [pr] |
+| .github/workflows/artifactpoisoning3.yml:43:14:51:45 | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(<pr)\necho "PR: ${tmp}"\necho "pr=${tmp}" >> $GITHUB_OUTPUT\n | semmle.label | unzip input.zip\necho current directory contents\nls -al\n\necho Reading PR number\ntmp=$(<pr)\necho "PR: ${tmp}"\necho "pr=${tmp}" >> $GITHUB_OUTPUT\n |
+| .github/workflows/artifactpoisoning3.yml:53:20:53:50 | steps.prepare.outputs.pr | semmle.label | steps.prepare.outputs.pr |
+| .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | semmle.label | Uses Step: artifact [content] |
+| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | semmle.label | steps.artifact.outputs.content |
+| .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
+| .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/artifactpoisoning6.yml:23:9:28:6 | Run Step: artifact2 [pr_number] | semmle.label | Run Step: artifact2 [pr_number] |
+| .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | semmle.label | steps.artifact2.outputs.pr_number |
+| .github/workflows/artifactpoisoning7.yml:8:9:15:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning7.yml:15:9:29:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
+| .github/workflows/artifactpoisoning7.yml:16:14:28:57 | set -eou pipefail\npr_number=$(cat -e artifact.txt)\npr_number=${pr_number%?}\npr_length=${#pr_number}\nonly_numbers_re="^[0-9]+$"\nif ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then\n  echo "invalid PR number"\n  exit 1\nfi\necho "::set-output name=pr_number::$pr_number"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | set -eou pipefail\npr_number=$(cat -e artifact.txt)\npr_number=${pr_number%?}\npr_length=${#pr_number}\nonly_numbers_re="^[0-9]+$"\nif ! [[ $pr_length <= 10 && $pr_number =~ $only_numbers_re ]] ; then\n  echo "invalid PR number"\n  exit 1\nfi\necho "::set-output name=pr_number::$pr_number"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
+| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning8.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning8.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
+| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |
+| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | semmle.label | Uses Step: changed-files5 |
+| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files |
+| .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue.yml:17:19:17:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/comment_issue.yml:24:31:24:62 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue.yml:27:31:27:60 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue.yml:30:31:30:61 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/comment_issue_newline.yml:10:25:10:56 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/comment_issue_newline.yml:11:24:11:51 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/comment_issue_newline.yml:12:24:12:55 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result2] | semmle.label | Uses Step: foo [result2] |
+| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | semmle.label | Uses Step: foo [result] |
+| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | semmle.label | steps.foo.outputs.result |
+| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | semmle.label | steps.foo.outputs.result2 |
+| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | semmle.label | Uses Step: clone [result] |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | semmle.label | steps.clone.outputs.result |
+| .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | semmle.label | Uses Step: remove_quotations [replaced] |
+| .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | semmle.label | github.event.commits[0].message |
+| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED |
+| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message |
+| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
+| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED |
+| .github/workflows/discussion.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
+| .github/workflows/discussion.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:7:19:7:54 | github.event.discussion.title | semmle.label | github.event.discussion.title |
+| .github/workflows/discussion_comment.yml:8:19:8:53 | github.event.discussion.body | semmle.label | github.event.discussion.body |
+| .github/workflows/discussion_comment.yml:9:19:9:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | semmle.label | env.log |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
+| .github/workflows/gollum.yml:7:19:7:52 | github.event.pages[1].title | semmle.label | github.event.pages[1].title |
+| .github/workflows/gollum.yml:8:19:8:53 | github.event.pages[11].title | semmle.label | github.event.pages[11].title |
+| .github/workflows/gollum.yml:9:19:9:56 | github.event.pages[0].page_name | semmle.label | github.event.pages[0].page_name |
+| .github/workflows/gollum.yml:10:19:10:59 | github.event.pages[2222].page_name | semmle.label | github.event.pages[2222].page_name |
+| .github/workflows/image_link_generator.yml:15:9:22:6 | Run Step: extract-url [initial_url] | semmle.label | Run Step: extract-url [initial_url] |
+| .github/workflows/image_link_generator.yml:18:18:18:49 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] | semmle.label | Run Step: curl [redirected_url] |
+| .github/workflows/image_link_generator.yml:25:25:25:68 | steps.extract-url.outputs.initial_url | semmle.label | steps.extract-url.outputs.initial_url |
+| .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] |
+| .github/workflows/image_link_generator.yml:31:28:31:67 | steps.curl.outputs.redirected_url | semmle.label | steps.curl.outputs.redirected_url |
+| .github/workflows/image_link_generator.yml:37:85:37:125 | steps.trim-url.outputs.trimmed_url | semmle.label | steps.trim-url.outputs.trimmed_url |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output |
+| .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:13:19:13:49 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/issues.yaml:14:19:14:48 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/issues.yaml:15:19:15:39 | env.global_env | semmle.label | env.global_env |
+| .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
+| .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
+| .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) |
+| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
+| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review.yml:14:19:14:49 | github.event.review.body | semmle.label | github.event.review.body |
+| .github/workflows/pull_request_review_comment.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_review_comment.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_review_comment.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_review_comment.yml:10:19:10:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_review_comment.yml:11:19:11:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
+| .github/workflows/pull_request_target.yml:12:19:12:75 | github.event.pull_request.head.repo.default_branch | semmle.label | github.event.pull_request.head.repo.default_branch |
+| .github/workflows/pull_request_target.yml:13:19:13:72 | github.event.pull_request.head.repo.description | semmle.label | github.event.pull_request.head.repo.description |
+| .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage |
+| .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | semmle.label | github.head_ref |
+| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
+| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
+| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
+| .github/workflows/push.yml:10:19:10:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/push.yml:11:19:11:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
+| .github/workflows/push.yml:12:19:12:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
+| .github/workflows/push.yml:13:19:13:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
+| .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
+| .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
+| .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
+| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
+| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
+| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
+| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
+| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
+| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
+| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
+| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
+| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
+| .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
+| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
+| .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
+| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | semmle.label | env.log |
+| .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
+| .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | semmle.label | input taint |
+| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
+| .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/reusable-workflow-2.yml:45:24:45:61 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
+| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log |
+| .github/workflows/reusable-workflow-2.yml:66:34:66:52 | env.prev_log | semmle.label | env.prev_log |
+| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value |
+| .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] |
+| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] |
+| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value |
+| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output |
+| .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] |
+| .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value |
+| .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files |
+| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value |
+| .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/simple3.yml:22:11:22:37 | toJSON(github.event) | semmle.label | toJSON(github.event) |
+| .github/workflows/slash_command2.yml:11:9:20:6 | Uses Step: command | semmle.label | Uses Step: command |
+| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments |
+| .github/workflows/test1.yml:15:5:27:39 | Job: updateJira [ISSUE_KEY] | semmle.label | Job: updateJira [ISSUE_KEY] |
+| .github/workflows/test1.yml:23:19:23:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/test1.yml:27:20:27:39 | env.ISSUE_KEY | semmle.label | env.ISSUE_KEY |
+| .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | semmle.label | Uses Step: changed |
+| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files |
+| .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 |
+| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
+| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
+| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) |
+| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
+| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) |
+| .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo |
+| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch |
+| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
+| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
+| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] |
+| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
+| .github/workflows/test9.yml:12:9:20:6 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
+| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
+| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
+| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) |
+| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version |
+| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version |
+| .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) |
+| .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) |
+| .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/test10.yml:240:34:240:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [pr_num] | semmle.label | Job outputs node [pr_num] |
+| .github/workflows/test11.yml:19:7:21:4 | Job outputs node [ref] | semmle.label | Job outputs node [ref] |
+| .github/workflows/test11.yml:19:16:19:50 | steps.set-ref.outputs.pr_num | semmle.label | steps.set-ref.outputs.pr_num |
+| .github/workflows/test11.yml:20:13:20:44 | steps.set-ref.outputs.ref | semmle.label | steps.set-ref.outputs.ref |
+| .github/workflows/test11.yml:22:9:30:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [pr_num] | semmle.label | Run Step: set-ref [pr_num] |
+| .github/workflows/test11.yml:30:9:46:2 | Run Step: set-ref [ref] | semmle.label | Run Step: set-ref [ref] |
+| .github/workflows/test11.yml:32:14:44:44 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n | semmle.label | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_OUTPUT\necho "ref=$ref" >> $GITHUB_OUTPUT\n |
+| .github/workflows/test11.yml:54:20:54:60 | needs.get-artifacts.outputs.pr_num | semmle.label | needs.get-artifacts.outputs.pr_num |
+| .github/workflows/test11.yml:55:20:55:57 | needs.get-artifacts.outputs.ref | semmle.label | needs.get-artifacts.outputs.ref |
+| .github/workflows/test12.yml:10:21:10:67 | github.event.pull_request.title \|\| "foo" | semmle.label | github.event.pull_request.title \|\| "foo" |
+| .github/workflows/test13.yml:10:21:10:57 | github.event.changes.body.from | semmle.label | github.event.changes.body.from |
+| .github/workflows/test13.yml:11:21:11:58 | github.event.changes.title.from | semmle.label | github.event.changes.title.from |
+| .github/workflows/test13.yml:12:21:12:61 | github.event.changes.head.ref.from | semmle.label | github.event.changes.head.ref.from |
+| .github/workflows/test13.yml:13:21:13:55 | toJson(github.event.changes) | semmle.label | toJson(github.event.changes) |
+| .github/workflows/test14.yml:13:9:16:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] |
+| .github/workflows/test14.yml:14:14:15:117 | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "files=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test14.yml:16:21:16:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files |
+| .github/workflows/test14.yml:23:9:27:6 | Run Step: changed-files [files] | semmle.label | Run Step: changed-files [files] |
+| .github/workflows/test14.yml:24:14:26:52 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "files=${FILES}" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test14.yml:27:21:27:60 | steps.changed-files.outputs.files | semmle.label | steps.changed-files.outputs.files |
+| .github/workflows/test14.yml:29:5:38:2 | Job: test3 [CHANGED-FILES] | semmle.label | Job: test3 [CHANGED-FILES] |
+| .github/workflows/test14.yml:35:14:36:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | semmle.label | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n |
+| .github/workflows/test14.yml:37:21:37:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES |
+| .github/workflows/test14.yml:39:5:48:45 | Job: test4 [CHANGED-FILES] | semmle.label | Job: test4 [CHANGED-FILES] |
+| .github/workflows/test14.yml:45:14:47:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | semmle.label | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n |
+| .github/workflows/test14.yml:48:21:48:44 | env.CHANGED-FILES | semmle.label | env.CHANGED-FILES |
+| .github/workflows/test15.yml:10:9:13:6 | Run Step: title [title] | semmle.label | Run Step: title [title] |
+| .github/workflows/test15.yml:11:14:12:103 | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n | semmle.label | echo "title=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test15.yml:13:21:13:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title |
+| .github/workflows/test15.yml:17:9:21:6 | Run Step: title [title] | semmle.label | Run Step: title [title] |
+| .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | semmle.label | steps.title.outputs.title |
+| .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | semmle.label | Job: test3 [TITLE] |
+| .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | semmle.label | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n |
+| .github/workflows/test15.yml:28:21:28:36 | env.TITLE | semmle.label | env.TITLE |
+| .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] |
+| .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n |
+| .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE |
+| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] |
+| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value |
+| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] |
+| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT |
+| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] |
+| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value |
+| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] |
+| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT |
+| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name |
+| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message |
+| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref |
+| .github/workflows/test17.yml:14:13:22:10 | Uses Step: get-pr | semmle.label | Uses Step: get-pr |
+| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data |
+| .github/workflows/test17.yml:30:13:39:10 | Uses Step: get-pr-details | semmle.label | Uses Step: get-pr-details |
+| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref |
+| .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | semmle.label | Uses Step: issues |
+| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data |
+| .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | semmle.label | Uses Step: get-pull-request |
+| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title |
+| .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues |
+| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data |
+| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] |
+| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref |
+| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] |
+| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title |
+| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] |
+| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body |
+| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] |
+| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments |
+| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] |
+| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files |
+| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] |
+| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author |
+| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] |
+| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref |
+| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] |
+| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title |
+| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] |
+| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body |
+| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] |
+| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments |
+| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] |
+| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files |
+| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] |
+| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author |
+| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] |
+| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title |
+| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] |
+| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body |
+| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] |
+| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments |
+| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] |
+| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title |
+| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] |
+| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body |
+| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] |
+| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments |
+| .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | semmle.label | Run Step: title1 [title] |
+| .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | semmle.label | steps.title1.outputs.title |
+| .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | semmle.label | Run Step: title2 [title] |
+| .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | semmle.label | steps.title2.outputs.title |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
+| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
+| .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse |
+| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse |
+| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
+| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
+| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] |
+| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT |
+| .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | semmle.label | inputs.issue_number |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] |
+| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
+| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
+| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
+| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] |
+| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version |
+| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
+| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
+| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
+| .github/workflows/test29.yml:35:18:35:54 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
+| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
+| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
+| .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | semmle.label | github.event['pull_request']['body'] |
+| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] |
+| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value |
+| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] |
+| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG |
+| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] |
+| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 |
+| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] |
+| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 |
+| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] |
+| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 |
+| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] |
+| .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
+| .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\n |
+| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
+| .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
+| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
+| .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message |
+| .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email |
+| .github/workflows/workflow_run.yml:12:19:12:74 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name |
+| .github/workflows/workflow_run.yml:13:19:13:78 | github.event.workflow_run.head_commit.committer.email | semmle.label | github.event.workflow_run.head_commit.committer.email |
+| .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name |
+| .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description |
+| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches5.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+subpaths
+| .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:4:3:4:7 | input taint | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] |
+| .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:4:3:4:7 | input title | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] |
+#select
+| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
+| .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | ${{ inputs.title }} |
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref
new file mode 100644
index 000000000000..e0f202ee24c3
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref
@@ -0,0 +1 @@
+Security/CWE-094/CodeInjectionLow.ql
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
index 4bbe7da0aaf3..7ca6b0284c83 100644
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -651,6 +651,7 @@ nodes
 | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
 | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] |
 | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT |
+| .github/workflows/test26.yml:20:39:20:64 | inputs.issue_number | semmle.label | inputs.issue_number |
 | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] |
 | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
 | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
@@ -681,6 +682,11 @@ nodes
 | .github/workflows/untrusted_checkout1.yml:11:9:14:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
 | .github/workflows/untrusted_checkout1.yml:12:14:13:63 | echo "::set-output name=pr_number::$(<artifact.txt)"\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\n |
 | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number |
+| .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
+| .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | semmle.label | github.event.workflow_run.head_commit.message |
 | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | semmle.label | github.event.workflow_run.head_commit.author.email |
@@ -753,6 +759,8 @@ subpaths
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | ${{ inputs.body }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

From f4c3c3561d7e593192f3c12779e7c551e4d7dd73 Mon Sep 17 00:00:00 2001
From: Tiago Pascoal <tspascoal@github.com>
Date: Tue, 7 Apr 2026 10:27:53 +0100
Subject: [PATCH 2/4] Fix typo in lowSeverityCodeInjection documentation
 regarding write access

---
 actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
index 5edc7e9b71f1..31e330c04c20 100644
--- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -124,7 +124,7 @@ predicate mediumSeverityCodeInjection(
 /**
  * Holds if there is a code injection flow from `source` to `sink` with low severity.
  * This covers workflow_call inputs, which are lower risk since only users with
- * write access control the callers, but the inputs may still originate from
+ * write access controls the callers, but the inputs may still originate from
  * untrusted user input in the calling workflow.
  */
 predicate lowSeverityCodeInjection(

From c9ea8d1f2738fac063f80da0e8bf48c45b59b575 Mon Sep 17 00:00:00 2001
From: Tiago Pascoal <tspascoal@github.com>
Date: Tue, 7 Apr 2026 10:41:16 +0100
Subject: [PATCH 3/4] Clarify comments on input types in workflow_call.yml to
 enhance understanding of input constraints

---
 .../Security/CWE-094/.github/workflows/workflow_call.yml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml
index 50301dd43da9..6ba81214ec5a 100644
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call.yml
@@ -29,12 +29,12 @@ jobs:
         run: |
           echo "${{ inputs.title }}"
 
-      # Not vulnerable: number input (not a string type)
+      # Not vulnerable: number input constrained by GitHub to numeric values
       - name: safe number input
         run: |
           echo "${{ inputs.count }}"
 
-      # Not vulnerable: boolean input (not a string type)
+      # Not vulnerable: boolean input constrained by GitHub to true/false values
       - name: safe boolean input
         run: |
           echo "${{ inputs.flag }}"

From c676bdd0692c3b0c676b120f17641d10378c0da0 Mon Sep 17 00:00:00 2001
From: Tiago Pascoal <tspascoal@github.com>
Date: Tue, 7 Apr 2026 12:52:58 +0100
Subject: [PATCH 4/4] Actions: Report both workflow_call and workflow_dispatch
 code injection

Treat workflow_call and workflow_dispatch inputs independently for
code-injection severity classification so mixed-trigger workflows can
produce both low and medium alerts.

Add a regression test for workflows that define both triggers and update
the corresponding expected results.
---
 .../actions/security/CodeInjectionQuery.qll   |  9 +++-
 .../workflows/workflow_call_and_dispatch.yml  | 44 +++++++++++++++++++
 .../CWE-094/CodeInjectionCritical.expected    |  2 +
 .../CWE-094/CodeInjectionLow.expected         |  4 ++
 .../CWE-094/CodeInjectionMedium.expected      |  4 ++
 5 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call_and_dispatch.yml

diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
index 31e330c04c20..03a8951e2445 100644
--- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -109,6 +109,13 @@ private predicate isWorkflowCallInput(DataFlow::Node source) {
   )
 }
 
+/**
+ * Holds if the source is an input expression that can be supplied via workflow_dispatch.
+ */
+private predicate isWorkflowDispatchInput(DataFlow::Node source) {
+  source instanceof WorkflowDispatchInputSource
+}
+
 /**
  * Holds if there is a code injection flow from `source` to `sink` with medium severity.
  */
@@ -117,7 +124,7 @@ predicate mediumSeverityCodeInjection(
 ) {
   CodeInjectionFlow::flowPath(source, sink) and
   not criticalSeverityCodeInjection(source, sink, _) and
-  not isWorkflowCallInput(source.getNode()) and
+  not (isWorkflowCallInput(source.getNode()) and not isWorkflowDispatchInput(source.getNode())) and
   not isGithubScriptUsingToJson(sink.getNode().asExpr())
 }
 
diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call_and_dispatch.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call_and_dispatch.yml
new file mode 100644
index 000000000000..42856de3f9bd
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call_and_dispatch.yml
@@ -0,0 +1,44 @@
+name: Code Injection via workflow_call and workflow_dispatch
+
+on:
+  workflow_dispatch:
+    inputs:
+      title:
+        description: "Title for the issue"
+        required: true
+        type: string
+      body:
+        description: "Body with no explicit type (defaults to string)"
+        required: false
+  workflow_call:
+    inputs:
+      title:
+        description: "Title for the issue"
+        required: true
+        type: string
+      body:
+        description: "Body with explicit string type"
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: vulnerable title input
+        run: |
+          echo "${{ inputs.title }}"
+
+      - name: vulnerable body input
+        run: |
+          echo "${{ inputs.body }}"
+
+      - name: safe input via env
+        run: |
+          echo "$title"
+        env:
+          title: ${{ inputs.title }}
\ No newline at end of file
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
index 660dd5c7e454..44431d747d19 100644
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -685,6 +685,8 @@ nodes
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
 | .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected
index c179a2106802..e233817f2039 100644
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected
@@ -685,6 +685,8 @@ nodes
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
 | .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
@@ -706,3 +708,5 @@ subpaths
 #select
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | ${{ inputs.body }} |
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
index 7ca6b0284c83..1f8bdccbfa48 100644
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -685,6 +685,8 @@ nodes
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
 | .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
@@ -759,6 +761,8 @@ subpaths
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | ${{ inputs.body }} |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | ${{ inputs.title }} |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | ${{ inputs.body }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |