Skip to content

Actions: Correctly check reusable workflow permissions in actions/missing-workflow-permissions#21636

Merged
jketema merged 4 commits intogithub:mainfrom
jketema:actions-perm
Apr 10, 2026
Merged

Actions: Correctly check reusable workflow permissions in actions/missing-workflow-permissions#21636
jketema merged 4 commits intogithub:mainfrom
jketema:actions-perm

Conversation

@jketema
Copy link
Copy Markdown
Contributor

@jketema jketema commented Apr 2, 2026
edited
Loading

Fixes: #21629

@jketema jketema requested a review from a team as a code owner April 2, 2026 13:49
Copilot AI review requested due to automatic review settings April 2, 2026 13:49
@github-actions github-actions bot added documentation Actions Analysis of GitHub Actions labels Apr 2, 2026
@jketema jketema mentioned this pull request Apr 2, 2026
Closed
IdrissRio
IdrissRio reviewed Apr 10, 2026
View reviewed changes
actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
// The workflow is reusable and cannot be triggered in any other way; check callers
exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
Copy link
Copy Markdown
Contributor

@IdrissRio IdrissRio Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking loud here: If there are no callers, this is vacuously true.
So in this case it is true when: the workflow is reusable, it is only triggered via workflow_call and nobody calls it.
Should we use a forex instead?

Copy link
Copy Markdown
Contributor Author

@jketema jketema Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? In that case we have an unused reusable workflow, which is perfectly fine.

Copy link
Copy Markdown
Contributor

@IdrissRio IdrissRio Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s exactly what I wanted to confirm: that it’s acceptable to have a reusable workflow that isn’t used without permission. Thanks

Copy link
Copy Markdown
Contributor Author

@jketema jketema Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This maintains the current behavior of the query, and I don't think we want to change that.

Once the workflow starts getting used and the caller does not set any permissions, this will be flagged up.

IdrissRio
IdrissRio approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@IdrissRio IdrissRio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@jketema jketema merged commit 888d392 into github:main Apr 10, 2026
22 checks passed
@jketema jketema deleted the actions-perm branch April 10, 2026 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IdrissRio IdrissRio IdrissRio approved these changes

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positive for actions/missing-workflow-permissions on reusable workflow files

2 participants

@jketema @IdrissRio