From 909de5280c8948429595b0f243cc425e20b8d383 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 6 Feb 2025 11:30:43 -0500
Subject: [PATCH 1/7] Update severity and precision of a few injection queries

These will wind up in `security-extended`, when previously they were not in any of the standard suites.
---
 actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql  | 4 ++--
 actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql   | 4 ++--
 actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
index a1499764ef36..b49cfb082254 100644
--- a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
@@ -2,9 +2,9 @@
  * @name PATH Enviroment Variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envpath-injection/medium
  * @tags actions
  *       security
diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
index c9af38a2c507..a3285b2e945e 100644
--- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
@@ -2,9 +2,9 @@
  * @name Enviroment Variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envvar-injection/medium
  * @tags actions
  *       security
diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
index 992b2aa8c5d4..d2aff7da95ff 100644
--- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
@@ -2,8 +2,8 @@
  * @name Artifact poisoning
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind path-problem
- * @problem.severity warning
- * @precision high
+ * @problem.severity error
+ * @precision medium
  * @security-severity 5.0
  * @id actions/artifact-poisoning/medium
  * @tags actions

From d7259c17dbc36aec1b6872cb0639c6c38520b5ad Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 6 Feb 2025 11:31:36 -0500
Subject: [PATCH 2/7] Add security tag for `missing-actions-permissions`

This ensures that it will remain in the default suite.
---
 actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
index d2969b7d6e72..4f7e951d7ed6 100644
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -3,11 +3,12 @@
  * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
+ * @problem.severity warning
  * @precision high
  * @id actions/missing-workflow-permissions
  * @tags actions
  *       maintainability
+ *       security
  *       external/cwe/cwe-275
  */
 

From 81ff4dd81c29ee84f9a3cb35674f3f52d7ac279a Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 6 Feb 2025 11:32:32 -0500
Subject: [PATCH 3/7] Update severity for `excessive-secrets-exposure`

This ensures that it will remain in the default suite.
---
 actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
index c1d22e3a1811..a83685207bc2 100644
--- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
@@ -2,7 +2,8 @@
  * @name Excessive Secrets Exposure
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
- * @problem.severity recommendation
+ * @precision high
+ * @problem.severity warning
  * @id actions/excessive-secrets-exposure
  * @tags actions
  *       security

From 74619d49b39389f70acf593c8b3d0881ce6ce785 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 6 Feb 2025 11:33:17 -0500
Subject: [PATCH 4/7] Update precision and severity for `unpinned-tag`

This ensures that it will be in `security-extended`, but not the default suite.
---
 actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
index de8d3c2078a8..7c31a659c7de 100644
--- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -3,8 +3,8 @@
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
- * @precision high
+ * @problem.severity warning
+ * @precision medium
  * @id actions/unpinned-tag
  * @tags security
  *       actions

From cb7aeea51615e81db8099620801797458c8e4fd1 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 6 Feb 2025 11:34:43 -0500
Subject: [PATCH 5/7] Use standard query selectors for `actions-code-scanning`
 and `actions-security-extended`

---
 .../ql/src/codeql-suites/actions-code-scanning.qls  | 13 +++----------
 .../src/codeql-suites/actions-security-extended.qls |  4 +++-
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/actions/ql/src/codeql-suites/actions-code-scanning.qls b/actions/ql/src/codeql-suites/actions-code-scanning.qls
index 4cfe07484d96..13839cea05f6 100644
--- a/actions/ql/src/codeql-suites/actions-code-scanning.qls
+++ b/actions/ql/src/codeql-suites/actions-code-scanning.qls
@@ -1,11 +1,4 @@
 - description: Standard Code Scanning queries for GitHub Actions
-- queries: '.'
-- include:
-    problem.severity: 
-      - error
-      - recommendation
-- exclude:
-    tags contain:
-      - experimental
-      - debug
-      - internal
+- queries: .
+- apply: code-scanning-selectors.yml
+  from: codeql/suite-helpers
diff --git a/actions/ql/src/codeql-suites/actions-security-extended.qls b/actions/ql/src/codeql-suites/actions-security-extended.qls
index 07276d22dfc8..79528a92e1a2 100644
--- a/actions/ql/src/codeql-suites/actions-security-extended.qls
+++ b/actions/ql/src/codeql-suites/actions-security-extended.qls
@@ -1,2 +1,4 @@
 - description: Security-extended queries for GitHub Actions
-- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-extended-selectors.yml
+  from: codeql/suite-helpers

From ca7bcc9714f08488ccf426c7c40c58b8c73841bf Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 6 Feb 2025 11:50:59 -0500
Subject: [PATCH 6/7] Add change note

---
 .../change-notes/2025-02-06-curate-suites.md    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 actions/ql/src/change-notes/2025-02-06-curate-suites.md

diff --git a/actions/ql/src/change-notes/2025-02-06-curate-suites.md b/actions/ql/src/change-notes/2025-02-06-curate-suites.md
new file mode 100644
index 000000000000..827918026311
--- /dev/null
+++ b/actions/ql/src/change-notes/2025-02-06-curate-suites.md
@@ -0,0 +1,17 @@
+---
+category: queryMetadata
+---
+* The following queries have been removed from the `code-scanning` and `security-extended` suites:
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+* The following queries have been moved from the `code-scanning` suite to the `security-extended`
+  suite:
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite:
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`

From 3b02f4d7bc50a276052036152eef0e9f73674d70 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Fri, 7 Feb 2025 10:09:31 -0500
Subject: [PATCH 7/7] Update change note

---
 .../ql/src/change-notes/2025-02-06-curate-suites.md | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/actions/ql/src/change-notes/2025-02-06-curate-suites.md b/actions/ql/src/change-notes/2025-02-06-curate-suites.md
index 827918026311..8845e52f8f5a 100644
--- a/actions/ql/src/change-notes/2025-02-06-curate-suites.md
+++ b/actions/ql/src/change-notes/2025-02-06-curate-suites.md
@@ -1,14 +1,17 @@
 ---
-category: queryMetadata
+category: breaking
 ---
-* The following queries have been removed from the `code-scanning` and `security-extended` suites:
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
   * `actions/if-expression-always-true/critical`
   * `actions/if-expression-always-true/high`
   * `actions/unnecessary-use-of-advanced-config`
-* The following queries have been moved from the `code-scanning` suite to the `security-extended`
-  suite:
+  
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
   * `actions/unpinned-tag`
-* The following queries have been added to the `security-extended` suite:
+* The following queries have been added to the `security-extended` suite.
   * `actions/unversioned-immutable-action`
   * `actions/envpath-injection/medium`
   * `actions/envvar-injection/medium`