Move list of immutable actions into internal model pack for now.

[dbartol]

This PR removes the current list of immutable actions from the standard library pack, and moves it into a new model pack, github/immutable-actions-list.

We have an existing Actions query, actions/unversioned-immutable-action, which alerts about references to an action without a semantic version if there's an immutable version of that action available. However, since the immutable actions feature isn't available to customers yet, we're currently reporting alerts that our customers have no way of fixing. We don't want to remove the query from the default suite, though, because then we couldn't run it internally on repos that use Default Setup, which is nearly all of them.

Instead, I've created a new model pack containing the list. We'll deploy this model pack internally for now. Once the Immutable Actions feature ships to customers, we'll add the list back into the standard library pack.

I've also added all of the codeql-action actions to the list, since they were missing.

To keep our tests running, I've simply added the new model pack as a dependency of our test pack.

Separately but related, I've added the octokit org to the list of trusted Actions owners. The actions/unpinned-tag query ignores actions which are known to have immutable versions available, so removing octokit/request-action from that list made us start reporting unpinned-tag on uses of that action. Update: we decided that octokit doesn't meet our current criteria for "trusted owner", so I've removed it from the list. We'll start reporting unpinned-tag for octokit/request-action.

The new pack will be published manually, and only when needed, rather than as part of the usual CodeQL release process. We'll likely only need to publish it once.

PR Overview

This PR moves the immutable actions list out of the standard library configuration and into a new internal model pack, github/immutable-actions-list, to support internal testing until the Immutable Actions feature is released to customers.

• Created a new model pack with the immutable actions list.
• Updated the standard configuration file to disable alerts by clearing out the data list.
• Modified test pack and workspace configurations, and added the octokit org to the trusted owners list.

Reviewed Changes

File	Description
actions/ql/extensions/immutable-actions-list/ext/immutable_actions.yml	New file containing the immutable actions list for internal use.
actions/ql/extensions/immutable-actions-list/qlpack.yml	New pack configuration for the internal model pack.
actions/ql/lib/ext/config/immutable_actions.yml	Removed the hardcoded list and replaced it with an empty data array with explanatory comments.
actions/ql/test/qlpack.yml	Added dependency for the new model pack to ensure tests have data.
actions/ql/lib/ext/config/trusted_actions_owner.yml	Added octokit as a trusted Actions owner to suppress unpinned tag alerts.
codeql-workspace.yml	Updated workspace to include the new model pack’s qlpack file.

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

[aeisenberg]

Nice. This looks fine to me.

Presumably, you will manually publsh the new model pack?

[dbartol]

Please don't merge yet. I have another change to make.

[dbartol]

I've moved the new pack into the codeql org instead of the github org. We may want to allow customers to use it if there's a preview for Immutable Actions, and then only move the list back into the standard library pack when Immutable Actions GAs. Putting in the codeql org also makes publishing the pack easier on our end.

[aeisenberg]

Makes sense. Just be sure to make the package public.