@@ -635,19 +635,22 @@ class JobImpl extends AstNodeImpl, TJobNode {
635635
636636 /** Holds if the workflow is privileged. */
637637 predicate isPrivileged ( ) {
638- // The job has a permission to write to some scope
638+ // the job has an explicit write permission
639639 this .getPermissions ( ) .getAPermission ( ) = "write"
640640 or
641- // The job accesses a secret
641+ // the job accesses a secret other than GITHUB_TOKEN
642642 exists ( SecretsExpressionImpl expr |
643643 expr .getEnclosingJob ( ) = this and not expr .getFieldName ( ) = "GITHUB_TOKEN"
644644 )
645645 or
646- // The effective permissions have write access
647- exists ( string path , string name , string secrets_source , string perms |
648- workflowDataModel ( path , _ , name , secrets_source , perms , _) and
646+ // the effective permissions have write access
647+ exists ( string path , string trigger , string name , string secrets_source , string perms |
648+ workflowDataModel ( path , trigger , name , secrets_source , perms , _) and
649649 path .trim ( ) = this .getLocation ( ) .getFile ( ) .getRelativePath ( ) and
650650 name .trim ( ) .matches ( this .getId ( ) + "%" ) and
651+ // We cannot trust the permissions for pull_request events since they depend on the
652+ // location of the head branch
653+ not trigger .trim ( ) = "pull_request" and
651654 (
652655 secrets_source .trim ( ) .toLowerCase ( ) = "actions" or
653656 perms .toLowerCase ( ) .matches ( "%write%" )
0 commit comments