Extend actions/unpinned-tag to analyze composite action metadata (action.yml / action.yaml)
#21692
+25
−7
GitHub Advanced Security / CodeQL
completed
Apr 15, 2026 in 6s
6 configurations not found
Warning: Code scanning may not have found all the alerts introduced by this pull request, because 6 configurations present on refs/heads/main were not found:
Actions workflow (rust-analysis.yml)
- ❓
.github/workflows/rust-analysis.yml:analyze/language:rust
Actions workflow (csv-coverage-metrics.yml)
- ❓
.github/workflows/csv-coverage-metrics.yml:publish-csharp - ❓
.github/workflows/csv-coverage-metrics.yml:publish-java
Actions workflow (codeql-analysis.yml)
- ❓
.github/workflows/codeql-analysis.yml:CodeQL-Build/language:actions - ❓
.github/workflows/codeql-analysis.yml:CodeQL-Build/language:csharp
Actions workflow (cpp-swift-analysis.yml)
- ❓
.github/workflows/cpp-swift-analysis.yml:CodeQL-Build
New alerts in code changed by this pull request
- 1 warning
See annotations below for details.
Annotations
Check warning on line 34 in actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
Code scanning / CodeQL
Predicates starting with "get" or "as" should return a value Warning
Loading