Add GitHub Actions type

[jhutchings1]

This PR adds GitHub Actions as a distinct type. We use this in the GitHub Dependency graph because GitHub Actions are distinct in meaning from the GitHub repository package references, and sometimes get CVEs published on them.

[jhutchings1]

@pombredanne @stevespringett Can you take a look at this? We're already using it in practice within GitHub, and I'd love to make sure that it's an accepted type definition.

[stevespringett]

What is the relationship between pkg:githubactions/github/codeql-action/analyze@v2 and the Marketplace where actions are found? For example, this action is not listed in the marketplace, but https://github.com/marketplace/actions/codeql-bundle is. I think this needs to be clarified as many people will associate the githubactions purl type with the actions that are in the Marketplace, but that's not true in this case.

[jhutchings1]

The Marketplace listings are basically advertisements and disconnected from the actual software distribution. You can reference an action in any repository regardless of whether there is a Marketplace listing. The only requirement is that there's an action.yml file in the repository and that the version matches a SHA, branch, or release tag. You'll see some of the scenarios around how things get referenced here: https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#adding-an-action-to-your-workflow

[stevespringett]

What is the default repository_url? Does this apply to Actions? If not, why not? The purl spec does not differentiate between public Internet facing repositories and internal ones. If there's a default repository_url, even an internal one, it should be part of the purl type definition.

[jhutchings1]

Sure, I could add one of those if you think it's helpful. GitHub Actions are always in practice pulled from the current GitHub instance you're on. So if you're on github.com, it's that, and if you're on an enterprise server instance, it's that.

[prabhu]

It appears like the name attribute could be a single word purl-spec or could have subpath codeql-action/analyze. This appear to be different from other schemes where subpath are after qualifiers separated by a hash.

pkg:githubactions/github/codeql-action@v2?repository_url=...#subpath=analyze

[matt-phylum]

I think subpath has a special meaning for referring to files within a package, which is not the case here if the action is its own package which happens to be in the same repository as other packages. This seems consistent with Go where the namespace/name is treated as a single value which means something in Go instead of two separate values. (eg a lot of Go PURLs have the PURL name "v2" because of the way Go handles version epochs)

[jhutchings1]

@matt-phylum has it. The subpath is about picking a non-default action in a repository in instances where multiple actions exist.

[tjwp]

This seems inconsistent with the description given above:

namespace is the user or organization
name is the repository name
subpath is used to point to the location of an action within a repository in the event there are multiple defined.

If the name component is strictly the repository name, then based on the components from the spec:

scheme:type/namespace/name@version?qualifiers#subpath

This example should be:

pkg:githubactions/github/codeql-action@v2#analyze

[emilwareus]

Hi! I'm trying to use this schema, how would you say this vulnerability would fit into the actions pURL? GHSA-hw6r-g8gj-2987

[jhutchings1]

Hi! I'm trying to use this schema, how would you say this vulnerability would fit into the actions pURL? GHSA-hw6r-g8gj-2987

This schema is intended to refer to a GitHub Actions action, not a workflow, so in your case, I think the regular GitHub namespace is more appropriate.