@@ -22,13 +22,16 @@ where
2222 // TODO: (require to collect trigger types)
2323 // - add push to default branch?
2424 // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
25- j .getEnclosingWorkflow ( )
26- .hasTriggerEvent ( [
27- "check_run" , "check_suite" , "delete" , "discussion" , "discussion_comment" , "fork" ,
28- "gollum" , "issue_comment" , "issues" , "label" , "milestone" , "project" , "project_card" ,
29- "project_column" , "public" , "pull_request_comment" , "pull_request_target" ,
30- "repository_dispatch" , "schedule" , "watch" , "workflow_run"
31- ] ) and
25+ (
26+ j .getEnclosingWorkflow ( ) .hasTriggerEvent ( defaultBranchTriggerEvent ( ) )
27+ or
28+ j .getEnclosingWorkflow ( ) .hasTriggerEvent ( "workflow_call" ) and
29+ exists ( ExternalJob call , Workflow caller |
30+ call .getCallee ( ) = j .getLocation ( ) .getFile ( ) .getRelativePath ( ) and
31+ caller = call .getWorkflow ( ) and
32+ caller .hasTriggerEvent ( defaultBranchTriggerEvent ( ) )
33+ )
34+ ) and
3235 // The job checkouts untrusted code from a pull request
3336 j .getAStep ( ) = checkout and
3437 (
4043 // (The cache specific token can be leaked even for non-privileged workflows)
4144 checkout .getAFollowingStep ( ) instanceof PoisonableStep
4245 )
43- select j . getAStep ( ) . ( CacheWritingStep ) , "Potential cache poisoning on privileged workflow."
46+ select checkout , "Potential cache poisoning on privileged workflow."
0 commit comments