diff --git a/actions/ql/lib/codeql/actions/security/ControlChecks.qll b/actions/ql/lib/codeql/actions/security/ControlChecks.qll
index 244c04310d6d..3bb69b65f42c 100644
--- a/actions/ql/lib/codeql/actions/security/ControlChecks.qll
+++ b/actions/ql/lib/codeql/actions/security/ControlChecks.qll
@@ -37,8 +37,7 @@ string actor_not_attacker_event() {
       // actor and attacker can be different
       // actor may be a collaborator, but the attacker is may be the author of the PR that gets commented
       // therefore it may be vulnerable to TOCTOU races where the actor reviews one thing and the attacker changes it
-      "issue_comment",
-      "pull_request_comment",
+      "pull_request_comment", "issue_comment"
     ]
 }
 
diff --git a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
index 9668fce2ae00..605008c2402d 100644
--- a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -3,7 +3,11 @@ private import codeql.actions.DataFlow
 private import codeql.actions.dataflow.FlowSources
 private import codeql.actions.TaintTracking
 
-string checkoutTriggers() {
+string checkoutTriggers() { result = ["pull_request_target", "workflow_run", "workflow_call"] }
+
+string issueCommentTriggers() { result = ["issue_comment"] }
+
+string allCheckoutTriggers() {
   result = ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"]
 }
 
@@ -76,8 +80,7 @@ module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCh
 
 private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source.asExpr().getATriggerEvent().getName() =
-      ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"] and
+    source.asExpr().getATriggerEvent().getName() = allCheckoutTriggers() and
     (
       // `ref` argument contains the PR head/merge commit sha
       exists(Expression e |
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
index 71ba2032a9d0..c9baa12d2c48 100644
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
@@ -2,7 +2,7 @@
 
 ## Description
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the the trigger `pull_request_target` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
 
 ## Recommendations
 
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
index 71ba2032a9d0..289943bac36d 100644
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
@@ -2,7 +2,7 @@
 
 ## Description
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the trigger `pull_request_target` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
 
 ## Recommendations
 
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
index 98b9aee33f77..9a33d535e4ce 100644
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
@@ -25,22 +25,6 @@ where
   // the checkout occurs in a privileged context
   inPrivilegedContext(checkout, event) and
   event.getName() = checkoutTriggers() and
-  (
-    // issue_comment: check for date comparison checks and actor/access control checks
-    event.getName() = "issue_comment" and
-    not exists(ControlCheck check, CommentVsHeadDateCheck date_check |
-      (
-        check instanceof ActorCheck or
-        check instanceof AssociationCheck or
-        check instanceof PermissionCheck
-      ) and
-      check.dominates(checkout) and
-      date_check.dominates(checkout)
-    )
-    or
-    // not issue_comment triggered workflows
-    not event.getName() = "issue_comment" and
-    not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
-  )
+  not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
 select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
   event.getName()
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.md
new file mode 100644
index 000000000000..e9e1007b907c
--- /dev/null
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.md
@@ -0,0 +1,14 @@
+# Execution of Untrusted Checked-out Code Triggered by Issue Comment
+
+## Description
+
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the the trigger `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
+
+## Recommendations
+
+- Avoid using `issue_comment` unless necessary, consider using label gates instead to trigger workflows.
+- If you must use `issue_comment` to trigger workflow runs, consider limiting the token that forked repos can use to read-only access to the repository or disallowing forks entirely.
+
+Issue comment triggers are vulnerable to abuse by malicious actors. Triggering workflow run that checkout code through `issue_comment` can allow a malicious actor to execute code in the time between a comment being posted and the workflow run being triggered. Issue comment events are also not subject to the same security checks or pull request approvals that `pull_request` events are.
+
+- [How to Secure your GitHub Actions Workflows with CodeQL](https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/#issueoops-security-pitfalls-with-issue_comment-trigger)
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.ql
new file mode 100644
index 000000000000..d3b8d2e0ecd4
--- /dev/null
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.ql
@@ -0,0 +1,55 @@
+/**
+ * @name Checkout of untrusted code in trusted context
+ * @description Privileged workflows have read/write access to the base repository and access to secrets.
+ *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
+ *              that is able to push to the base repository and to access secrets.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @security-severity 0.0
+ * @id actions/untrusted-checkout-issue-comment/critical
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.PoisonableSteps
+import codeql.actions.security.ControlChecks
+
+query predicate edges(Step a, Step b) { a.getNextStep() = b }
+
+from PRHeadCheckoutStep checkout, PoisonableStep poisonable, Event event
+where
+  // the checkout is followed by a known poisonable step
+  checkout.getAFollowingStep() = poisonable and
+  (
+    poisonable instanceof Run and
+    (
+      // Check if the poisonable step is a local script execution step
+      // and the path of the command or script matches the path of the downloaded artifact
+      isSubpath(poisonable.(LocalScriptExecutionRunStep).getPath(), checkout.getPath())
+      or
+      // Checking the path for non local script execution steps is very difficult
+      not poisonable instanceof LocalScriptExecutionRunStep
+      // Its not easy to extract the path from a non-local script execution step so skipping this check for now
+      // and isSubpath(poisonable.(Run).getWorkingDirectory(), checkout.getPath())
+    )
+    or
+    poisonable instanceof UsesStep and
+    (
+      not poisonable instanceof LocalActionUsesStep and
+      checkout.getPath() = "GITHUB_WORKSPACE/"
+      or
+      isSubpath(poisonable.(LocalActionUsesStep).getPath(), checkout.getPath())
+    )
+  ) and
+  // the checkout occurs in a privileged context
+  inPrivilegedContext(poisonable, event) and
+  inPrivilegedContext(checkout, event) and
+  event.getName() = issueCommentTriggers() and
+  not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
+  not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
+select poisonable, checkout, poisonable,
+  "Potential execution of untrusted code on a privileged workflow ($@).", event, event.getName()
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.md b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.md
new file mode 100644
index 000000000000..e9e1007b907c
--- /dev/null
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.md
@@ -0,0 +1,14 @@
+# Execution of Untrusted Checked-out Code Triggered by Issue Comment
+
+## Description
+
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the the trigger `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
+
+## Recommendations
+
+- Avoid using `issue_comment` unless necessary, consider using label gates instead to trigger workflows.
+- If you must use `issue_comment` to trigger workflow runs, consider limiting the token that forked repos can use to read-only access to the repository or disallowing forks entirely.
+
+Issue comment triggers are vulnerable to abuse by malicious actors. Triggering workflow run that checkout code through `issue_comment` can allow a malicious actor to execute code in the time between a comment being posted and the workflow run being triggered. Issue comment events are also not subject to the same security checks or pull request approvals that `pull_request` events are.
+
+- [How to Secure your GitHub Actions Workflows with CodeQL](https://github.blog/security/application-security/how-to-secure-your-github-actions-workflows-with-codeql/#issueoops-security-pitfalls-with-issue_comment-trigger)
diff --git a/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.ql b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.ql
new file mode 100644
index 000000000000..51c4d40be628
--- /dev/null
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.ql
@@ -0,0 +1,30 @@
+/**
+ * @name Checkout of untrusted code in trusted context
+ * @description Privileged workflows have read/write access to the base repository and access to secrets.
+ *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
+ *              that is able to push to the base repository and to access secrets.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @security-severity 0.0
+ * @id actions/untrusted-checkout-issue-comment/high
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.PoisonableSteps
+import codeql.actions.security.ControlChecks
+
+from PRHeadCheckoutStep checkout, Event event
+where
+  // the checkout is NOT followed by a known poisonable step
+  not checkout.getAFollowingStep() instanceof PoisonableStep and
+  // the checkout occurs in a privileged context
+  inPrivilegedContext(checkout, event) and
+  event.getName() = issueCommentTriggers() and
+  not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@).", event,
+  event.getName()
diff --git a/actions/ql/src/change-notes/released/0.6.0.md b/actions/ql/src/change-notes/released/0.6.0.md
new file mode 100644
index 000000000000..7973f4745def
--- /dev/null
+++ b/actions/ql/src/change-notes/released/0.6.0.md
@@ -0,0 +1,5 @@
+## 0.6.0
+
+### Major Analysis Improvements
+
+* Moved the trigger `issueComment` in the actions/untrusted-checkout-high (CWE-829) and actions/untrusted-checkout-critical (CWE-829) queries to separate queries (actions/untrusted-checkout-issue-comment-high and actions/untrusted-checkout-issue-comment-critical) because while they are vulnerable to the same attack, they do not have the same resolution. Further work is needed to make this trigger safer to use.
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
index 5d7a94aead0b..721f42747b6f 100644
--- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -332,12 +332,8 @@ edges
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
 | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
 | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
 | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
 | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
@@ -347,19 +343,10 @@ edges
 | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
 | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
 | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
-| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
 | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
 | .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
 | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected
index 6e33259f3922..dc04a37d5558 100644
--- a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected
@@ -1,22 +1,6 @@
-| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
 | .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
 | .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
 | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
 | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.expected
new file mode 100644
index 000000000000..8dc91ea599bd
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.expected
@@ -0,0 +1,337 @@
+edges
+| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step |
+| .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step |
+| .github/actions/download-artifact-2/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step |
+| .github/actions/download-artifact-2/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata |
+| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step |
+| .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
+| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
+| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
+| .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
+| .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
+| .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step |
+| .github/workflows/artifactpoisoning11.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning11.yml:36:9:38:78 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step |
+| .github/workflows/artifactpoisoning12.yml:32:9:36:6 | Run Step | .github/workflows/artifactpoisoning12.yml:36:9:38:26 | Run Step |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:18:9:20:21 | Run Step |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:17:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning31.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning31.yml:18:9:19:23 | Run Step |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:16:9:18:20 | Run Step |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step |
+| .github/workflows/artifactpoisoning34.yml:16:9:20:6 | Uses Step | .github/workflows/artifactpoisoning34.yml:20:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:21:9:22:23 | Run Step |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:21:9:22:19 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning51.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning51.yml:18:9:20:57 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning52.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning52.yml:18:9:22:40 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step |
+| .github/workflows/artifactpoisoning53.yml:15:9:18:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:9:23:29 | Run Step |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:16:9:18:40 | Run Step |
+| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step |
+| .github/workflows/artifactpoisoning81.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning81.yml:16:9:22:2 | Uses Step |
+| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:9:31:28 | Run Step |
+| .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step |
+| .github/workflows/artifactpoisoning82.yml:14:9:16:6 | Run Step | .github/workflows/artifactpoisoning82.yml:16:9:22:2 | Uses Step |
+| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:9:31:28 | Run Step |
+| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step |
+| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step |
+| .github/workflows/artifactpoisoning91.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
+| .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step |
+| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step |
+| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step |
+| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:18:9:19:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata |
+| .github/workflows/artifactpoisoning92.yml:19:9:25:6 | Run Step: metadata | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step |
+| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:16:9:19:59 | Run Step: pr_number |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step |
+| .github/workflows/auto_ci.yml:27:9:32:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:37:9:40:6 | Run Step |
+| .github/workflows/auto_ci.yml:37:9:40:6 | Run Step | .github/workflows/auto_ci.yml:40:9:44:6 | Run Step |
+| .github/workflows/auto_ci.yml:40:9:44:6 | Run Step | .github/workflows/auto_ci.yml:44:9:48:6 | Run Step |
+| .github/workflows/auto_ci.yml:44:9:48:6 | Run Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step |
+| .github/workflows/auto_ci.yml:74:9:79:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step |
+| .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files |
+| .github/workflows/auto_ci.yml:96:9:108:6 | Run Step: stage_files | .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr |
+| .github/workflows/auto_ci.yml:108:9:119:6 | Uses Step: create_pr | .github/workflows/auto_ci.yml:119:9:125:6 | Run Step |
+| .github/workflows/auto_ci.yml:119:9:125:6 | Run Step | .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step |
+| .github/workflows/auto_ci.yml:125:9:133:6 | Uses Step | .github/workflows/auto_ci.yml:133:9:135:20 | Run Step |
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm |
+| .github/workflows/dependabot1.yml:19:9:23:6 | Run Step: nvm | .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step |
+| .github/workflows/dependabot1.yml:23:9:28:6 | Uses Step | .github/workflows/dependabot1.yml:28:9:31:6 | Run Step |
+| .github/workflows/dependabot1.yml:28:9:31:6 | Run Step | .github/workflows/dependabot1.yml:31:9:34:6 | Run Step |
+| .github/workflows/dependabot1.yml:31:9:34:6 | Run Step | .github/workflows/dependabot1.yml:34:9:36:2 | Run Step |
+| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | .github/workflows/dependabot1.yml:43:9:45:29 | Uses Step |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm |
+| .github/workflows/dependabot2.yml:38:9:42:6 | Run Step: nvm | .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/dependabot2.yml:42:9:47:6 | Uses Step | .github/workflows/dependabot2.yml:47:9:52:6 | Run Step |
+| .github/workflows/dependabot2.yml:47:9:52:6 | Run Step | .github/workflows/dependabot2.yml:52:9:58:6 | Run Step |
+| .github/workflows/dependabot2.yml:52:9:58:6 | Run Step | .github/workflows/dependabot2.yml:58:9:61:6 | Run Step |
+| .github/workflows/dependabot2.yml:58:9:61:6 | Run Step | .github/workflows/dependabot2.yml:61:9:68:19 | Run Step |
+| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
+| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
+| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
+| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step |
+| .github/workflows/gitcheckout.yml:18:11:21:8 | Uses Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step |
+| .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | .github/workflows/issue_comment_3rd_party_action.yml:49:9:52:25 | Uses Step |
+| .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha |
+| .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step |
+| .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr |
+| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard |
+| .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:37:9:38:37 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr |
+| .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:38:9:52:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha |
+| .github/workflows/issue_comment_octokit.yml:52:9:57:6 | Run Step: get-sha | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step |
+| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step |
+| .github/workflows/label_trusted_checkout1.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step |
+| .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step |
+| .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step |
+| .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step |
+| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step |
+| .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step |
+| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step |
+| .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step |
+| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step |
+| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities |
+| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step |
+| .github/workflows/level0.yml:96:9:99:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step |
+| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:103:9:107:6 | Uses Step |
+| .github/workflows/level0.yml:103:9:107:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step |
+| .github/workflows/level0.yml:122:9:125:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step |
+| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:129:9:133:6 | Uses Step |
+| .github/workflows/level0.yml:129:9:133:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step |
+| .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step |
+| .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step |
+| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
+| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step |
+| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step |
+| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
+| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
+| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
+| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
+| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
+| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step |
+| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step |
+| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
+| .github/workflows/pr-workflow.yml:57:9:60:6 | Uses Step | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:70:9:78:6 | Uses Step | .github/workflows/pr-workflow.yml:78:9:81:2 | Run Step: ok |
+| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:109:9:124:6 | Uses Step | .github/workflows/pr-workflow.yml:124:9:126:2 | Run Step |
+| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:144:9:147:6 | Uses Step | .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:147:9:148:6 | Uses Step | .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:148:9:154:6 | Uses Step | .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step |
+| .github/workflows/pr-workflow.yml:154:9:158:6 | Run Step | .github/workflows/pr-workflow.yml:158:9:196:2 | Run Step: ok |
+| .github/workflows/pr-workflow.yml:209:9:216:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:227:9:230:2 | Run Step: ok |
+| .github/workflows/pr-workflow.yml:243:9:250:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:261:9:265:2 | Run Step: ok |
+| .github/workflows/pr-workflow.yml:277:9:284:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:295:9:298:2 | Run Step: ok |
+| .github/workflows/pr-workflow.yml:309:9:314:6 | Run Step | .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step |
+| .github/workflows/pr-workflow.yml:314:9:318:6 | Run Step | .github/workflows/pr-workflow.yml:318:9:323:2 | Run Step |
+| .github/workflows/pr-workflow.yml:337:9:343:6 | Uses Step | .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:343:9:346:6 | Uses Step | .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:346:9:351:6 | Uses Step | .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step |
+| .github/workflows/pr-workflow.yml:351:9:355:6 | Run Step | .github/workflows/pr-workflow.yml:355:9:369:2 | Uses Step |
+| .github/workflows/pr-workflow.yml:380:9:386:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step |
+| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:449:9:452:6 | Uses Step | .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:452:9:453:6 | Uses Step | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step |
+| .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step |
+| .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok |
+| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step |
+| .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step |
+| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step |
+| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
+| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step |
+| .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step |
+| .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step |
+| .github/workflows/test2.yml:13:9:16:6 | Uses Step | .github/workflows/test2.yml:16:9:20:52 | Uses Step |
+| .github/workflows/test3.yml:28:9:33:6 | Uses Step | .github/workflows/test3.yml:33:9:35:6 | Run Step |
+| .github/workflows/test3.yml:33:9:35:6 | Run Step | .github/workflows/test3.yml:35:9:41:63 | Uses Step |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | .github/workflows/test4.yml:25:7:31:4 | Uses Step |
+| .github/workflows/test4.yml:25:7:31:4 | Uses Step | .github/workflows/test4.yml:31:7:33:4 | Uses Step |
+| .github/workflows/test4.yml:31:7:33:4 | Uses Step | .github/workflows/test4.yml:33:7:38:4 | Uses Step |
+| .github/workflows/test4.yml:33:7:38:4 | Uses Step | .github/workflows/test4.yml:38:7:40:4 | Run Step |
+| .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
+| .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
+| .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
+| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:47:4 | Uses Step |
+| .github/workflows/test4.yml:43:7:47:4 | Uses Step | .github/workflows/test4.yml:47:7:47:28 | Run Step |
+| .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step |
+| .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step |
+| .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step |
+| .github/workflows/test5.yml:54:9:58:6 | Uses Step | .github/workflows/test5.yml:58:9:60:2 | Run Step |
+| .github/workflows/test5.yml:64:9:68:6 | Uses Step | .github/workflows/test5.yml:68:9:68:43 | Run Step |
+| .github/workflows/test6.yml:19:9:39:6 | Uses Step | .github/workflows/test6.yml:39:9:43:6 | Run Step |
+| .github/workflows/test6.yml:39:9:43:6 | Run Step | .github/workflows/test6.yml:43:9:45:52 | Run Step |
+| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:24:9:27:6 | Uses Step |
+| .github/workflows/test7.yml:24:9:27:6 | Uses Step | .github/workflows/test7.yml:27:9:33:6 | Uses Step |
+| .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step |
+| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step |
+| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command |
+| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr |
+| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:60:6 | Run Step |
+| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:60:9:60:37 | Run Step |
+| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step |
+| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step |
+| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step |
+| .github/workflows/test11.yml:30:7:45:4 | Run Step | .github/workflows/test11.yml:45:7:84:4 | Run Step: environment |
+| .github/workflows/test11.yml:45:7:84:4 | Run Step: environment | .github/workflows/test11.yml:84:7:90:4 | Uses Step |
+| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step |
+| .github/workflows/test12.yml:32:7:47:4 | Run Step | .github/workflows/test12.yml:47:7:86:4 | Run Step: environment |
+| .github/workflows/test12.yml:47:7:86:4 | Run Step: environment | .github/workflows/test12.yml:86:7:92:4 | Uses Step |
+| .github/workflows/test12.yml:86:7:92:4 | Uses Step | .github/workflows/test12.yml:92:7:95:54 | Uses Step |
+| .github/workflows/test13.yml:14:7:20:4 | Uses Step | .github/workflows/test13.yml:20:7:25:4 | Uses Step |
+| .github/workflows/test13.yml:20:7:25:4 | Uses Step | .github/workflows/test13.yml:25:7:28:4 | Uses Step |
+| .github/workflows/test13.yml:25:7:28:4 | Uses Step | .github/workflows/test13.yml:28:7:31:50 | Run Step |
+| .github/workflows/test14.yml:38:7:41:4 | Uses Step | .github/workflows/test14.yml:41:7:44:4 | Run Step |
+| .github/workflows/test14.yml:41:7:44:4 | Run Step | .github/workflows/test14.yml:44:7:58:4 | Run Step |
+| .github/workflows/test14.yml:44:7:58:4 | Run Step | .github/workflows/test14.yml:58:7:76:2 | Run Step: environment |
+| .github/workflows/test14.yml:90:7:94:4 | Uses Step: comment-branch | .github/workflows/test14.yml:94:7:101:4 | Uses Step |
+| .github/workflows/test14.yml:94:7:101:4 | Uses Step | .github/workflows/test14.yml:101:7:105:4 | Uses Step |
+| .github/workflows/test14.yml:101:7:105:4 | Uses Step | .github/workflows/test14.yml:105:7:111:4 | Uses Step |
+| .github/workflows/test14.yml:105:7:111:4 | Uses Step | .github/workflows/test14.yml:111:7:135:4 | Run Step: environment |
+| .github/workflows/test14.yml:111:7:135:4 | Run Step: environment | .github/workflows/test14.yml:135:7:141:4 | Run Step: email |
+| .github/workflows/test14.yml:135:7:141:4 | Run Step: email | .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id |
+| .github/workflows/test14.yml:141:7:149:4 | Run Step: slack-id | .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate |
+| .github/workflows/test14.yml:149:7:169:4 | Uses Step: slack-initiate | .github/workflows/test14.yml:169:7:174:4 | Uses Step |
+| .github/workflows/test14.yml:169:7:174:4 | Uses Step | .github/workflows/test14.yml:174:7:187:4 | Run Step |
+| .github/workflows/test14.yml:174:7:187:4 | Run Step | .github/workflows/test14.yml:187:7:198:4 | Run Step |
+| .github/workflows/test14.yml:187:7:198:4 | Run Step | .github/workflows/test14.yml:198:7:206:4 | Uses Step |
+| .github/workflows/test14.yml:198:7:206:4 | Uses Step | .github/workflows/test14.yml:206:7:226:4 | Uses Step |
+| .github/workflows/test14.yml:206:7:226:4 | Uses Step | .github/workflows/test14.yml:226:7:227:45 | Run Step |
+| .github/workflows/test15.yml:38:7:56:4 | Run Step: environment | .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch |
+| .github/workflows/test15.yml:56:7:60:4 | Uses Step: comment-branch | .github/workflows/test15.yml:60:7:65:4 | Uses Step |
+| .github/workflows/test15.yml:60:7:65:4 | Uses Step | .github/workflows/test15.yml:65:7:68:4 | Uses Step |
+| .github/workflows/test15.yml:65:7:68:4 | Uses Step | .github/workflows/test15.yml:68:7:83:2 | Run Step |
+| .github/workflows/test15.yml:106:7:110:4 | Uses Step: comment-branch | .github/workflows/test15.yml:110:7:115:4 | Uses Step |
+| .github/workflows/test15.yml:110:7:115:4 | Uses Step | .github/workflows/test15.yml:115:7:120:4 | Uses Step |
+| .github/workflows/test15.yml:115:7:120:4 | Uses Step | .github/workflows/test15.yml:120:7:127:4 | Run Step |
+| .github/workflows/test15.yml:120:7:127:4 | Run Step | .github/workflows/test15.yml:127:7:131:4 | Run Step |
+| .github/workflows/test15.yml:127:7:131:4 | Run Step | .github/workflows/test15.yml:131:7:136:4 | Run Step |
+| .github/workflows/test15.yml:131:7:136:4 | Run Step | .github/workflows/test15.yml:136:7:141:2 | Run Step |
+| .github/workflows/test15.yml:169:7:173:4 | Uses Step: comment-branch | .github/workflows/test15.yml:173:7:180:4 | Uses Step |
+| .github/workflows/test15.yml:173:7:180:4 | Uses Step | .github/workflows/test15.yml:180:7:185:4 | Uses Step |
+| .github/workflows/test15.yml:180:7:185:4 | Uses Step | .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info |
+| .github/workflows/test15.yml:185:7:197:4 | Run Step: pipeline-info | .github/workflows/test15.yml:197:7:203:4 | Run Step: email |
+| .github/workflows/test15.yml:197:7:203:4 | Run Step: email | .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id |
+| .github/workflows/test15.yml:203:7:211:4 | Run Step: slack-id | .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate |
+| .github/workflows/test15.yml:211:7:231:4 | Uses Step: slack-initiate | .github/workflows/test15.yml:231:7:236:4 | Uses Step |
+| .github/workflows/test15.yml:231:7:236:4 | Uses Step | .github/workflows/test15.yml:236:7:242:4 | Run Step |
+| .github/workflows/test15.yml:236:7:242:4 | Run Step | .github/workflows/test15.yml:242:7:250:4 | Uses Step |
+| .github/workflows/test15.yml:242:7:250:4 | Uses Step | .github/workflows/test15.yml:250:7:270:4 | Uses Step |
+| .github/workflows/test15.yml:250:7:270:4 | Uses Step | .github/workflows/test15.yml:270:7:271:45 | Run Step |
+| .github/workflows/test16.yml:43:9:47:6 | Run Step | .github/workflows/test16.yml:47:9:49:6 | Uses Step |
+| .github/workflows/test16.yml:47:9:49:6 | Uses Step | .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token |
+| .github/workflows/test16.yml:49:9:56:6 | Uses Step: get_token | .github/workflows/test16.yml:56:9:68:2 | Uses Step: upgrade_check |
+| .github/workflows/test16.yml:75:9:77:6 | Uses Step | .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token |
+| .github/workflows/test16.yml:77:9:84:6 | Uses Step: get_token | .github/workflows/test16.yml:84:9:96:2 | Uses Step |
+| .github/workflows/test16.yml:106:9:108:6 | Uses Step | .github/workflows/test16.yml:108:9:140:6 | Run Step: run |
+| .github/workflows/test16.yml:108:9:140:6 | Run Step: run | .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token |
+| .github/workflows/test16.yml:140:9:147:6 | Uses Step: get_token | .github/workflows/test16.yml:147:9:160:2 | Uses Step |
+| .github/workflows/test16.yml:167:9:169:6 | Uses Step | .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token |
+| .github/workflows/test16.yml:169:9:176:6 | Uses Step: get_token | .github/workflows/test16.yml:176:9:188:2 | Uses Step |
+| .github/workflows/test16.yml:218:9:221:6 | Uses Step | .github/workflows/test16.yml:221:9:226:6 | Uses Step |
+| .github/workflows/test16.yml:221:9:226:6 | Uses Step | .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token |
+| .github/workflows/test16.yml:226:9:236:6 | Uses Step: get_token | .github/workflows/test16.yml:236:9:248:6 | Uses Step |
+| .github/workflows/test16.yml:236:9:248:6 | Uses Step | .github/workflows/test16.yml:248:9:270:6 | Run Step |
+| .github/workflows/test16.yml:248:9:270:6 | Run Step | .github/workflows/test16.yml:270:9:273:6 | Run Step |
+| .github/workflows/test16.yml:270:9:273:6 | Run Step | .github/workflows/test16.yml:273:9:277:6 | Run Step: zips |
+| .github/workflows/test16.yml:273:9:277:6 | Run Step: zips | .github/workflows/test16.yml:277:9:281:6 | Run Step: tests |
+| .github/workflows/test16.yml:277:9:281:6 | Run Step: tests | .github/workflows/test16.yml:281:9:294:54 | Uses Step |
+| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step |
+| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:33:15:36:12 | Run Step |
+| .github/workflows/test18.yml:33:15:36:12 | Run Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step |
+| .github/workflows/test19.yml:16:7:21:4 | Uses Step | .github/workflows/test19.yml:21:7:22:14 | Run Step |
+| .github/workflows/test20.yml:16:7:21:4 | Uses Step | .github/workflows/test20.yml:21:7:22:14 | Run Step |
+| .github/workflows/test21.yml:18:9:25:6 | Uses Step | .github/workflows/test21.yml:25:9:27:36 | Run Step |
+| .github/workflows/test22.yml:57:15:62:12 | Uses Step | .github/workflows/test22.yml:62:15:62:45 | Run Step |
+| .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step |
+| .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step |
+| .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step |
+| .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step |
+| .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step |
+| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step |
+| .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step |
+| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step |
+| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
+| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
+| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
+| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
+| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
+| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
+| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
+| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |
+| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:11:7:29:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step |
+| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step |
+| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:11:9:15:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step |
+| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step |
+| .github/workflows/untrusted_checkout.yml:26:9:30:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step |
+| .github/workflows/untrusted_checkout_5.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step |
+| .github/workflows/untrusted_checkout_5.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step |
+| .github/workflows/untrusted_checkout_5.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_5.yml:21:9:23:23 | Run Step |
+| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
+| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
+| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
+| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
+| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
+#select
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.qlref
new file mode 100644
index 000000000000..be0ad9813d6e
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentCritical.qlref
@@ -0,0 +1 @@
+Security/CWE-829/UntrustedCheckoutIssueCommentCritical.ql
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.expected b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.expected
new file mode 100644
index 000000000000..fc70abd2a2da
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.expected
@@ -0,0 +1,15 @@
+| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
diff --git a/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.qlref b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.qlref
new file mode 100644
index 000000000000..d967641c2db1
--- /dev/null
+++ b/actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutIssueCommentHigh.qlref
@@ -0,0 +1 @@
+Security/CWE-829/UntrustedCheckoutIssueCommentHigh.ql