Skip to content

feat: add new dataflow analysis, replacing existing analysis for GitHub Actions #1229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add new dataflow analysis, replacing existing analysis for GitHub Actions #1229

wants to merge 3 commits into from

Conversation

@nicallen
Copy link
Member

@nicallen nicallen commented Nov 4, 2025
edited by behnazh-w
Loading

Summary

Add a new dataflow analysis implementation, which provides a framework for sophisticated static analysis of build pipeline specifications (including GitHub Actions workflows, Bash shell scripts). Replaces the existing analysis for callgraph and build command identification.

Description of changes

Adds new dataflow analysis implementation. Removes previous callgraph representation and analysis. Updates checks to use new analysis for identification of build commands. Updates unit tests to work with the changes. Adds two new dependencies: lark (parser library used to implement parsing of GitHub expression language) and frozendict (data structure library used within dataflow analysis where hashable dicts are needed).

Related issues

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.
    • In addition to unit and integration tests, evaluated effect on build spec generation for 100 purls from reproducible central dataset, for the vast majority the results were unchanged, and there were no significant undesirable differences.

@nicallen nicallen requested a review from behnazh-w as a code owner November 4, 2025 01:20
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Nov 4, 2025
@behnazh-w behnazh-w changed the title feat: add new dataflow analysis, replacing existing analysis for GitH… feat: add new dataflow analysis, replacing existing analysis for GitHub Actions Nov 4, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 4, 2025
View reviewed changes
@nicallen nicallen force-pushed the nicallen/new-dataflow-analysis branch from b6d423e to 0f120aa Compare November 4, 2025 01:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicallen