codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Actions: imprecise action references in model data

Open woodruffw opened this issue 5 months ago • 2 comments
trafficstars

First of all, thanks for your hard work! I'm a huge fan of CodeQL, and I think support for GitHub Actions within it is amazing.

I'm filing this because I recently tried to consume some of CodeQL's "models" in an external tool (https://github.com/zizmorcore/zizmor/pull/849), and noticed what I think is a model imprecision/data quality issue.

Description

For example, actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml:

extensions:
  - addsTo:
      pack: codeql/actions-all
      extensible: actionsSinkModel
    data:
     - ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"]
     - ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"]

(Permalink)

This implies that airbytehq/airbyte has a top-level action.ya?ml definition, but it doesn't: instead, it has a set of actions defined under airbytehq/airbyte/.github/actions, of which run-airbyte-ci appears to have the relevant injectable inputs:

name: "Run Dagger pipeline"
description: "Runs a given dagger pipeline"
inputs:
  subcommand:
    description: "Subcommand for airbyte-ci"
    required: true

(Permalink)

This appears to be true in most other model files in that directory, at least the ones marked with "generated" in their definitions.

Expected behavior

Given that the inputs in question occur in in an action that isn't at the repository root, I expected the model YAML to look roughly like this:

extensions:
  - addsTo:
      pack: codeql/actions-all
      extensible: actionsSinkModel
    data:
     - ["airbytehq/airbyte/.github/actions/run-airbyte-ci", "*", "input.options", "code-injection", "generated"]
     - ["airbytehq/airbyte/.github/actions/run-airbyte-ci", "*", "input.subcommand", "code-injection", "generated"]

Actual behavior

The model YAML lists airbytehq/airbyte, leaving it unclear which actions within that repository have the injectable inputs.

woodruffw avatar May 30 '25 20:05 woodruffw

Thanks for raising the question. Apologies that this slipped through. We're discussing this internally and will get back to you.

aeisenberg avatar Jun 16 '25 14:06 aeisenberg

No problem, thanks for the response! Please let me know if there's any other information I can provide.

woodruffw avatar Jun 16 '25 14:06 woodruffw

Gentle ping on the above :-)

woodruffw avatar Sep 13 '25 04:09 woodruffw

This is on the to-do list -- no progress yet though I'm afraid

smowton avatar Sep 15 '25 19:09 smowton