Module actions

MaD models for permissions needed by actions Fields: - action: action name, e.g. actions/checkout - permission: permission name, e.g. contents: read

MaD models for arguments to commands that execute the given argument. Fields: - regexp: Regular expression for matching argument injections. - command_group: capture group for the command. - argument_group: capture group for the argument.

MaD models for context/trigger mapping Fields: - trigger: Trigger for the workflow - context_prefix: Prefix for the context

MaD models for externally triggerable events Fields: - event: Event name

MaD models for immutable actions Fields: - action: action name

Holds if the path cache_path is a subpath of the path untrusted_path.

MaD models for poisonable actions Fields: - action: action name

MaD models for poisonable commands Fields: - regexp: Regular expression for matching poisonable commands

MaD models for poisonable local scripts Fields: - regexp: Regular expression for matching poisonable local scripts - group: Script capture group number for the regular expression

MaD models for repository details Fields: - visibility: Visibility of the repository - default_branch_name: Default branch name

MaD models for trusted actions owners Fields: - owner: owner name

MaD models for event properties that can be user-controlled. Fields: - property: event property - kind: property kind

MaD models for untrusted gh commands Fields: - cmd_regex: Regular expression for matching untrusted gh commands - flag: Flag for the command

MaD models for untrusted git commands Fields: - cmd_regex: Regular expression for matching untrusted git commands - flag: Flag for the command

MaD models for vulnerable actions Fields: - action: action name - vulnerable_version: vulnerable version - vulnerable_sha: vulnerable sha - fixed_version: fixed version

MaD models for workflow details Fields: - path: Path to the workflow file - trigger: Trigger for the workflow - job: Job name - secrets_source: Source of secrets - permissions: Permissions for the workflow - runner: Runner info for the workflow

A custom composite action. This is a mapping at the top level of an Actions YAML action file. See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions.

An env in workflow, job or step.

An Environment node representing a deployment environment.

An If node representing a conditional statement.

An Actions job within a workflow. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs.

An Actions job within a workflow which is composed of steps. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs.

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds

A run field within an Actions job step, which runs command-line programs using an operating system shell. See https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun.

An runs mapping in a custom composite action YAML. See https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs

A step within an Actions job. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idsteps.

An Actions workflow. This is a mapping at the top level of an Actions YAML workflow file. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.

This module provides extensible predicates for defining MaD models.