Description
First of all, thanks for your hard work! I'm a huge fan of CodeQL, and I think support for GitHub Actions within it is amazing.
I'm filing this because I recently tried to consume some of CodeQL's "models" in an external tool (zizmorcore/zizmor#849), and noticed what I think is a model imprecision/data quality issue.
Description
For example, actions/ql/lib/ext/generated/composite-actions/airbytehq_airbyte.model.yml:
extensions:
- addsTo:
pack: codeql/actions-all
extensible: actionsSinkModel
data:
- ["airbytehq/airbyte", "*", "input.options", "code-injection", "generated"]
- ["airbytehq/airbyte", "*", "input.subcommand", "code-injection", "generated"]This implies that airbytehq/airbyte has a top-level action.ya?ml definition, but it doesn't: instead, it has a set of actions defined under airbytehq/airbyte/.github/actions, of which run-airbyte-ci appears to have the relevant injectable inputs:
name: "Run Dagger pipeline"
description: "Runs a given dagger pipeline"
inputs:
subcommand:
description: "Subcommand for airbyte-ci"
required: trueThis appears to be true in most other model files in that directory, at least the ones marked with "generated" in their definitions.
Expected behavior
Given that the inputs in question occur in in an action that isn't at the repository root, I expected the model YAML to look roughly like this:
extensions:
- addsTo:
pack: codeql/actions-all
extensible: actionsSinkModel
data:
- ["airbytehq/airbyte/.github/actions/run-airbyte-ci", "*", "input.options", "code-injection", "generated"]
- ["airbytehq/airbyte/.github/actions/run-airbyte-ci", "*", "input.subcommand", "code-injection", "generated"]Actual behavior
The model YAML lists airbytehq/airbyte, leaving it unclear which actions within that repository have the injectable inputs.