renamed repo to nwo to be precise in the naming used here

This step is not possible for default setup. I believe it's possible to just place the extensions file in .github/codeql/extensions in the current repository and have it automatically included in the run.

The docs seem to suggest it is possible though: https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup

It is possible to setup model packs with org level setup: Extending CodeQL coverage with CodeQL model packs in default setup ... added to references link at the bottom of the .md

I struggle with how verbose to make this guidance in the query markdown, feels like it would be better documented out in the (yet to be released) https://codeql.github.com/docs/codeql-language-guides/codeql-for-actions/

I will take a stab at adding some of the additional options here as a hint in the right direction

Hmmm...that might be a better use of space to link out to the language guide (when it is available). I am a little concerned that if we load up the qhelp with lots of information around configuration, then autofix will get confused.

Presumably, the language docs are released along with the CLI release. So, timing would work out.

Good point about autofix, I will shift gears and move these docs in that direction and consider deep linking via reference.

I made the changelog a bit more verbose as a compromise.

Having an inventory of which queries are extensible via data extensions (and which scenarios) + including that in the query docs would be a larger effort that other queries would benefit from.

For future docs considerations:

Configuration

If there is an Action publisher that you trust, you can include the owner name/organization in a data extension model pack to add it to the allow list for this query. Adding owners to this list will prevent security alerts when using unpinned tags for Actions published by that owner.

Example

To allow any Action from the publisher octodemo, such as octodemo/3rd-party-action, follow these steps:

1. Create a data extension file /models/trusted-owner.model.yml with the following content:

   extensions:
     - addsTo: 
         pack: codeql/actions-all
         extensible: trustedActionsOwnerDataModel 
       data:
         - ["octodemo"]

2. Create a model pack file /codeql-pack.yml with the following content:

   name: my-org/actions-extensions-model-pack
   version: 0.0.0
   library: true
   extensionTargets:
     codeql/actions-all: '*'
   dataExtensions:
     - models/**/*.yml

3. Ensure that the model pack is included in your CodeQL analysis.

By following these steps, you will add octodemo to the list of trusted Action publishers, and the query will no longer generate security alerts for unpinned tags from this publisher.

References

• Extending CodeQL coverage with CodeQL model packs in default setup
• Creating and working with CodeQL packs