False positive on actions/unpinned-tag for immutable third party action #20458
Description
Description of the false positive
CodeQL treats e.g. aws-actions/[email protected] as non-immutable although it now is.
Code samples or links to source code
The following snippet will trigger the actions/unpinned-tag rule violation:
- name: Configure AWS credentials
uses: aws-actions/[email protected]
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
role-session-name: github-deployment
Starting with v5.0.0 this is now the first action from a third party that I've spotted that also got the "Immutable" tag: https://github.com/aws-actions/configure-aws-credentials/releases/tag/v5.0.0
This raises a general question how CodeQL can identify immutable actions.
Right now some organizations are defined as trusted in https://github.com/github/codeql/blob/4f8166a661eb374bf733bd8d155922f9f728f4ca/actions/ql/lib/ext/config/trusted_actions_owner.yml
However, the aws-actions org per-se can't be added as not all actions are immutable (yet)
I am not sure if it's enough to add the action repo to https://github.com/github/codeql/blob/203788d4f1913f40d1ba8b2708d8f9c71206b6f4/actions/ql/lib/ext/config/immutable_actions.yml ?
This would still cause a lot of manual effort to keep up to date with the list of growing immutable actions.
I assume this data should be fetched from the GH API in the future to evaluate the immutability status.