Apply suggestions from code review (comments)

JarLob · adityasharad · web-flow · commit 8f1bccbb4d67 · 2023-04-13T22:55:53.000+02:00
Co-authored-by: Aditya Sharad &lt;6874315+adityasharad@users.noreply.github.com&gt;
diff --git a/javascript/ql/lib/change-notes/2023-04-03-gh-injection.md b/javascript/ql/lib/change-notes/2023-04-03-gh-injection.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Fixes and improvements in GitHub Actions Injection query.
+* Improved the queries for injection vulnerabilities in GitHub Actions workflows (`js/actions/command-injection` and `js/actions/pull-request-target`) and the associated library `semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files.
diff --git a/javascript/ql/lib/semmle/javascript/Actions.qll b/javascript/ql/lib/semmle/javascript/Actions.qll
@@ -234,10 +234,10 @@ module Actions {
     /** Gets the 0-based position of this step within the sequence of `steps`. */
     int getIndex() { result = index }
 
-    /** Gets the `job` this step belongs to. The step may belong to a `job` in a workflow or `runs` in a custom action. */
+    /** Gets the `job` this step belongs to, if the step belongs to a `job` in a workflow. Has no result if the step belongs to `runs` in a custom action. */
     Job getJob() { result = parent }
 
-    /** Gets the `runs` this step belongs to. The step may belong to a `job` in a workflow or `runs` in a custom action. */
+    /** Gets the `runs` this step belongs to, if the step belongs to a `runs` in a custom action. Has no result if the step belongs to a `job` in a workflow. */
     Runs getRuns() { result = parent }
 
     /** Gets the value of the `uses` field in this step, if any. */
