Skip to content

Restore CodeQL suppression to correct location in 'with:' block#460

Closed
greenc-FNAL wants to merge 1 commit intomainfrom
maintenance/codeql-suppression-3
Closed

Restore CodeQL suppression to correct location in 'with:' block#460
greenc-FNAL wants to merge 1 commit intomainfrom
maintenance/codeql-suppression-3

Conversation

@greenc-FNAL
Copy link
Copy Markdown
Contributor

@greenc-FNAL greenc-FNAL commented Mar 26, 2026

The CodeQL suppression for actions/untrusted-checkout/medium must be placed
within the 'with:' block of the checkout step, not before the step name or
before the 'uses:' line. This is the correct location for CodeQL's YAML
parser to recognize and apply the suppression.

This action is safe because:

  • It's never called from pull_request_target workflows
  • Uses unprivileged triggers (pull_request, issue_comment, workflow_dispatch, workflow_call)
  • Empty sparse checkout ensures no PR files are materialized on disk
  • Only git objects are fetched for diff/ls-tree operations
  • No code from the PR is ever executed

Fixes: GitHub CodeQL alerts #111/#171 (bouncing instances of same rule)

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

@greenc-FNAL
Restore CodeQL suppression to correct location in 'with:' block
5e4ac58 
The CodeQL suppression for actions/untrusted-checkout/medium must be placed
within the 'with:' block of the checkout step, not before the step name or
before the 'uses:' line. This is the correct location for CodeQL's YAML
parser to recognize and apply the suppression.

This action is safe because:
- It's never called from pull_request_target workflows
- Uses unprivileged triggers (pull_request, issue_comment, workflow_dispatch, workflow_call)
- Empty sparse checkout ensures no PR files are materialized on disk
- Only git objects are fetched for diff/ls-tree operations
- No code from the PR is ever executed

Fixes: GitHub CodeQL alerts #111/#171 (bouncing instances of same rule)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@greenc-FNAL greenc-FNAL requested a review from knoepfel March 26, 2026 15:22
Copilot AI review requested due to automatic review settings March 26, 2026 15:22
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the placement of the CodeQL suppression for actions/untrusted-checkout/medium so CodeQL’s YAML parser correctly associates it with the actions/checkout step in the run-change-detection composite action.

Changes:

  • Moved the # codeql[actions/untrusted-checkout/medium] suppression comment into the with: block of the checkout step (immediately before ref:).
  • Relocated the accompanying rationale comment block to sit alongside the suppressed ref: input.

@knoepfel
Copy link
Copy Markdown
Member

knoepfel commented Mar 27, 2026

Closing as there are no longer any flagged security issues.

@knoepfel knoepfel closed this Mar 27, 2026
@knoepfel knoepfel deleted the maintenance/codeql-suppression-3 branch March 27, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aolivier23 aolivier23 Awaiting requested review from aolivier23 aolivier23 is a code owner

@knoepfel knoepfel Awaiting requested review from knoepfel knoepfel is a code owner

@marcpaterno marcpaterno Awaiting requested review from marcpaterno marcpaterno is a code owner

@sabasehrish sabasehrish Awaiting requested review from sabasehrish sabasehrish is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@greenc-FNAL @knoepfel