From 86c5d9f1cd9686d55d81c7b4b48ea2d06ffcec72 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 27 Feb 2025 11:48:27 -0500
Subject: [PATCH 1/5] Move list of immutable actions into internal model pack
 for now.

---
 .../ext/immutable_actions.yml                 | 28 +++++++++++++++++++
 .../immutable-actions-list/qlpack.yml         | 13 +++++++++
 .../ql/lib/ext/config/immutable_actions.yml   | 24 ++++------------
 .../lib/ext/config/trusted_actions_owner.yml  |  3 +-
 actions/ql/test/qlpack.yml                    |  4 +++
 codeql-workspace.yml                          |  2 +-
 6 files changed, 54 insertions(+), 20 deletions(-)
 create mode 100644 actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
 create mode 100644 actions/ql/extensions/immutable-actions-list/qlpack.yml

diff --git a/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
new file mode 100644
index 000000000000..1b78930778ab
--- /dev/null
+++ b/actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml
@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["github/codeql-action/analyze"]
+      - ["github/codeql-action/autobuild"]
+      - ["github/codeql-action/init"]
+      - ["github/codeql-action/resolve-environment"]
+      - ["github/codeql-action/start-proxy"]
+      - ["github/codeql-action/upload-sarif"]
+      - ["octokit/request-action"]
diff --git a/actions/ql/extensions/immutable-actions-list/qlpack.yml b/actions/ql/extensions/immutable-actions-list/qlpack.yml
new file mode 100644
index 000000000000..cc957721c12f
--- /dev/null
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -0,0 +1,13 @@
+# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
+# yet released, so this pack will only be used within GitHub. Once the feature is available to
+# customers, we will move the contents of this pack back into the standard library pack.
+name: github/immutable-actions-list
+version: 0.0.1-dev
+library: true
+extensionTargets:
+  # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
+  # all future prereleases plus 1.x.x. We should be able to remove this back before we need to
+  # bump the major version to 2.
+  codeql/actions-all: ">=0.4.3 <2.0.0"
+dataExtensions:
+- ext/**/*.yml
diff --git a/actions/ql/lib/ext/config/immutable_actions.yml b/actions/ql/lib/ext/config/immutable_actions.yml
index d6a9b1020d73..6a57ce21d532 100644
--- a/actions/ql/lib/ext/config/immutable_actions.yml
+++ b/actions/ql/lib/ext/config/immutable_actions.yml
@@ -2,21 +2,9 @@ extensions:
   - addsTo:
       pack: codeql/actions-all
       extensible: immutableActionsDataModel
-    data:
-      - ["actions/checkout"]
-      - ["actions/cache"]
-      - ["actions/setup-node"]
-      - ["actions/upload-artifact"]
-      - ["actions/setup-python"]
-      - ["actions/download-artifact"]
-      - ["actions/github-script"]
-      - ["actions/setup-java"]
-      - ["actions/setup-go"]
-      - ["actions/upload-pages-artifact"]
-      - ["actions/deploy-pages"]
-      - ["actions/setup-dotnet"]
-      - ["actions/stale"]
-      - ["actions/labeler"]
-      - ["actions/create-github-app-token"]
-      - ["actions/configure-pages"]
-      - ["octokit/request-action"]
+    # Since the Immutable Actions feature is not yet available to customers, we won't alert about
+    # any unversioned immutable action references for now. Within GitHub, we'll include the
+    # `github/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # for internal use. Once the feature is available to customers, we'll move that list back into
+    # this file.
+    data: []
diff --git a/actions/ql/lib/ext/config/trusted_actions_owner.yml b/actions/ql/lib/ext/config/trusted_actions_owner.yml
index c90b1afee769..9efc450e334d 100644
--- a/actions/ql/lib/ext/config/trusted_actions_owner.yml
+++ b/actions/ql/lib/ext/config/trusted_actions_owner.yml
@@ -5,4 +5,5 @@ extensions:
     data:      
       - ["actions"]
       - ["github"]
-      - ["advanced-security"]
\ No newline at end of file
+      - ["advanced-security"]
+      - ["octokit"]
diff --git a/actions/ql/test/qlpack.yml b/actions/ql/test/qlpack.yml
index 12711bee904b..8eaedd2f690c 100644
--- a/actions/ql/test/qlpack.yml
+++ b/actions/ql/test/qlpack.yml
@@ -3,6 +3,10 @@ groups: [codeql, test]
 dependencies:
   codeql/actions-all: ${workspace}
   codeql/actions-queries: ${workspace}
+  # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
+  # We can remove this dependency when we incorporate the data from that model pack back into the
+  # standard library pack.
+  github/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true
diff --git a/codeql-workspace.yml b/codeql-workspace.yml
index bfd3106f97ab..32cad09e20c7 100644
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -17,7 +17,7 @@ provide:
   - "misc/legacy-support/*/qlpack.yml"
   - "misc/suite-helpers/qlpack.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
-
+  - "actions/ql/extensions/**/qlpack.yml"
 versionPolicies:
   default:
     requireChangeNotes: true

From 4e47da463e41b65c8b51a950f05606722986d4f9 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 27 Feb 2025 12:04:09 -0500
Subject: [PATCH 2/5] Add change note

---
 .../src/change-notes/2025-02-27-immutable-actions-list.md  | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md

diff --git a/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md b/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
new file mode 100644
index 000000000000..ea195c4b1494
--- /dev/null
+++ b/actions/ql/src/change-notes/2025-02-27-immutable-actions-list.md
@@ -0,0 +1,7 @@
+---
+category: fix
+---
+* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.

From 160346f51b63ad27d13330c6c4f9b8ed5cc023b1 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 27 Feb 2025 12:05:00 -0500
Subject: [PATCH 3/5] Add `warnOnImplicitThis: true`

---
 actions/ql/extensions/immutable-actions-list/qlpack.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/actions/ql/extensions/immutable-actions-list/qlpack.yml b/actions/ql/extensions/immutable-actions-list/qlpack.yml
index cc957721c12f..9d45d8034680 100644
--- a/actions/ql/extensions/immutable-actions-list/qlpack.yml
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -4,6 +4,7 @@
 name: github/immutable-actions-list
 version: 0.0.1-dev
 library: true
+warnOnImplicitThis: true
 extensionTargets:
   # We expect to need this model pack even after GA of Actions analysis, so make it compatible with
   # all future prereleases plus 1.x.x. We should be able to remove this back before we need to

From abc174858e83ba019c46d8394ccd7737f55fc036 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 27 Feb 2025 12:15:40 -0500
Subject: [PATCH 4/5] Remove `octokit` as trusted Actions owner

---
 actions/ql/lib/ext/config/trusted_actions_owner.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/actions/ql/lib/ext/config/trusted_actions_owner.yml b/actions/ql/lib/ext/config/trusted_actions_owner.yml
index 9efc450e334d..676c931e50cf 100644
--- a/actions/ql/lib/ext/config/trusted_actions_owner.yml
+++ b/actions/ql/lib/ext/config/trusted_actions_owner.yml
@@ -6,4 +6,3 @@ extensions:
       - ["actions"]
       - ["github"]
       - ["advanced-security"]
-      - ["octokit"]

From 2dde9ab6b98651c15d64d5d511a926088f2d216c Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 27 Feb 2025 12:30:11 -0500
Subject: [PATCH 5/5] Move `immutable-actions-list` pack to `codeql` org

---
 actions/ql/extensions/immutable-actions-list/qlpack.yml | 2 +-
 actions/ql/lib/ext/config/immutable_actions.yml         | 2 +-
 actions/ql/test/qlpack.yml                              | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/actions/ql/extensions/immutable-actions-list/qlpack.yml b/actions/ql/extensions/immutable-actions-list/qlpack.yml
index 9d45d8034680..8f606a199f48 100644
--- a/actions/ql/extensions/immutable-actions-list/qlpack.yml
+++ b/actions/ql/extensions/immutable-actions-list/qlpack.yml
@@ -1,7 +1,7 @@
 # Model pack containing the list of known immutable actions. The Immutable Actions feature is not
 # yet released, so this pack will only be used within GitHub. Once the feature is available to
 # customers, we will move the contents of this pack back into the standard library pack.
-name: github/immutable-actions-list
+name: codeql/immutable-actions-list
 version: 0.0.1-dev
 library: true
 warnOnImplicitThis: true
diff --git a/actions/ql/lib/ext/config/immutable_actions.yml b/actions/ql/lib/ext/config/immutable_actions.yml
index 6a57ce21d532..1ff48dcb65d1 100644
--- a/actions/ql/lib/ext/config/immutable_actions.yml
+++ b/actions/ql/lib/ext/config/immutable_actions.yml
@@ -4,7 +4,7 @@ extensions:
       extensible: immutableActionsDataModel
     # Since the Immutable Actions feature is not yet available to customers, we won't alert about
     # any unversioned immutable action references for now. Within GitHub, we'll include the
-    # `github/immutable-actions-list` model pack, which will provide the necessary list of actions
+    # `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
     # for internal use. Once the feature is available to customers, we'll move that list back into
     # this file.
     data: []
diff --git a/actions/ql/test/qlpack.yml b/actions/ql/test/qlpack.yml
index 8eaedd2f690c..139e8e57c62e 100644
--- a/actions/ql/test/qlpack.yml
+++ b/actions/ql/test/qlpack.yml
@@ -6,7 +6,7 @@ dependencies:
   # Use the `immutable-actions-list` model pack so that we have some actual data to test against.
   # We can remove this dependency when we incorporate the data from that model pack back into the
   # standard library pack.
-  github/immutable-actions-list: ${workspace}
+  codeql/immutable-actions-list: ${workspace}
 extractor: actions
 tests: .
 warnOnImplicitThis: true