Refactor trusted actions owner model

- use existing data extensions config and yml folder
- rename from trustedActionsOwner to trustedActionsOwnerDataModel
- update related predicates

Author: felickz

actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md

@@ -1,4 +1,4 @@
 ---
 category: feature
 ---
-* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwner` on the query `actions/unpinned-tag`
+* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwnerDataModel` on the query `actions/unpinned-tag`

actions/ql/lib/codeql/actions/config/Config.qll

@@ -126,6 +126,13 @@ predicate vulnerableActionsDataModel(
  */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
 
+/**
+ * MaD models for trusted actions owners
+ * Fields:
+ *    - owner: owner name
+ */
+predicate trustedActionsOwnerDataModel(string owner) { Extensions::trustedActionsOwnerDataModel(owner) }
+
 /**
  * MaD models for untrusted git commands
  * Fields:

actions/ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -63,6 +63,12 @@ extensible predicate vulnerableActionsDataModel(
  */
 extensible predicate immutableActionsDataModel(string action);
 
+
+/** 
+ * Holds for trusted Actions owners.
+ */
+extensible predicate trustedActionsOwnerDataModel(string owner);
+
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */

actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll

@@ -9,11 +9,6 @@ class UnversionedImmutableAction extends UsesStep {
   }
 }
 
-// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/
-// and can be extended with custom model packs as necessary.
-/** Holds for actions owner defined in data extensions */
-extensible predicate trustedActionsOwner(string owner);
-
 bindingset[version]
 predicate isSemVer(string version) {
   // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix

actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml renamed to actions/ql/lib/ext/config/trusted_actions_owner.yml

@@ -1,7 +1,7 @@
 extensions:
   - addsTo: 
       pack: codeql/actions-all
-      extensible: trustedActionsOwner
+      extensible: trustedActionsOwnerDataModel
     data:      
       - ["actions"]
       - ["github"]

actions/ql/lib/qlpack.yml

@@ -14,4 +14,3 @@ dataExtensions:
   - ext/manual/*.model.yml
   - ext/generated/**/*.model.yml
   - ext/config/*.yml
-  - codeql/actions/security/owner/**/*.model.yml

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -20,7 +20,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f
 bindingset[nwo]
 private predicate isTrustedOwner(string nwo) {
   // Gets the segment before the first '/' in the name with owner(nwo) string
-  trustedActionsOwner(nwo.substring(0, nwo.indexOf("/")))
+  trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
 }
 
 from UsesStep uses, string nwo, string version, Workflow workflow, string name