feat: codeql pack with trusted owners (#1427)

erikburt · web-flow · commit f83be75acdf4 · 2026-02-25T17:21:39.000Z
diff --git a/.gitignore b/.gitignore
@@ -51,3 +51,6 @@ bin/
 
 # other caches
 **/.cache/**
+
+# codeql
+**/.codeql/**
diff --git a/codeql/README.md b/codeql/README.md
@@ -0,0 +1,60 @@
+# CodeQL
+
+Custom CodeQL model packs.
+
+## Development
+
+1. Install codeql CLI
+   (https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/scan-from-the-command-line/setting-up-the-codeql-cli)
+
+```sh
+# https://formulae.brew.sh/cask/codeql
+brew install --cask codeql
+```
+
+### Setup
+
+`codeql pack init`
+
+- https://docs.github.com/en/code-security/tutorials/customize-code-scanning/creating-and-working-with-codeql-packs
+
+## Publishing
+
+1. `cd` into the directory containing the `qlpack.yml` file.
+2. If needed, bump the version in the `qlpack.yml`
+   1. Check versions already published at
+      https://github.com/orgs/smartcontractkit/packages
+3. `gh auth token | codeql pack publish --github-auth-stdin`
+
+## Using
+
+### CodeQL Default
+
+As far as I can tell, there is no way to configure specific repos to use
+_separately_ published CodeQL model packs.
+
+You can use model packs declared explicitly in your repository though. If you
+wish to do this, follow
+[these instructions](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup).
+
+#### At the org-level
+
+At the org-level, you can configure all default CodeQL setups to include
+specific model packs. See
+[these docs](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#extending-coverage-for-all-repositories-in-an-organization).
+
+### CodeQL Advanced
+
+CodeQL Advanced requires passing in a config or a pack explicitly.
+
+For example:
+
+`.github/codeql/codeql-actions.yml`
+
+```yml
+packs:
+  - smartcontractkit/actions-all-extension@^<version>
+
+queries:
+  - uses: security-extended
+```
diff --git a/codeql/actions/codeql-pack.lock.yml b/codeql/actions/codeql-pack.lock.yml
@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false
diff --git a/codeql/actions/models/trusted-owner.model.yml b/codeql/actions/models/trusted-owner.model.yml
@@ -0,0 +1,11 @@
+# See: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-actions/#example-extend-the-trusted-actions-publishers-for-the-actions-unpinned-tag-query
+# I believe the default configuration is here: https://github.com/github/codeql/blob/main/actions/ql/lib/ext/config/trusted_actions_owner.yml
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:
+      - ["smartcontractkit"]
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
diff --git a/codeql/actions/qlpack.yml b/codeql/actions/qlpack.yml
@@ -0,0 +1,7 @@
+name: smartcontractkit/actions-all-extension
+version: 1.0.0
+library: true
+extensionTargets:
+  codeql/actions-all: "*"
+dataExtensions:
+  - models/**/*.yml
