Module ConfigExtensions

Holds if action needs permission to run. - ‘action’ is the name of the action without any version information. E.g. for the action selector actions/checkout@v2, action is actions/checkout. - permission is of the form scope-name: read|write, for example contents: read. - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions for an example of recommended permissions. - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.

Holds for arguments to commands that execute the given argument

Holds if a context expression starting with context_prefix is available for a given trigger.

Holds if a given trigger event can be fired by an external actor.

Holds for actions that are known to be immutable.

Holds for actions that can be poisoned through local files.

Holds for strings that match poisonable commands.

Holds for strings that match poisonable local scripts.

Holds if repository data model exists for the given parameters.

Holds for trusted Actions owners.

Holds for event properties that can be user-controlled.

Holds for gh commands that may introduce untrusted data

Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.

Holds for actions that are known to be vulnerable.

Holds if workflow data model exists for the given parameters.