Add supply chain queries for npm publish token usage and missing provenance

[david-wiggs]

Description

Adds two new CodeQL queries for GitHub Actions workflows that detect npm supply chain security risks:

New Queries

1. actions/npm-token-in-publish (CWE-798, error, severity 9.0)
   Detects publish steps (npm publish, yarn publish, JS-DevTools/npm-publish) that set NODE_AUTH_TOKEN or NPM_TOKEN from a repository secret. Long-lived npm tokens can be stolen and used to publish malicious package versions from outside the CI/CD pipeline (e.g. the axios@1.14.1 attack). The recommended remediation is to use npm Trusted Publishing (OIDC).

2. actions/missing-provenance-flag (CWE-353, warning, severity 5.0)
   Detects npm publish commands that do not include the --provenance flag. Provenance attestation cryptographically links the published package to a specific source commit and workflow run.

Files Added

• actions/ql/src/Security/CWE-798/NpmTokenInPublish.ql + .md
• actions/ql/src/Security/CWE-353/MissingProvenanceFlag.ql + .md
• Test workflows, .qlref, and .expected files for both queries

[Copilot]

Pull request overview

Adds two new CodeQL queries to the GitHub Actions pack to detect npm supply-chain risks in workflows: (1) use of long-lived npm publish tokens sourced from secrets, and (2) npm publish commands missing --provenance, along with query help and query-tests.

Changes:

• Added actions/npm-token-in-publish (CWE-798) to flag publish steps that use NODE_AUTH_TOKEN/NPM_TOKEN from secrets.*.
• Added actions/missing-provenance-flag (CWE-353) to flag npm publish commands missing --provenance.
• Added query-tests (workflows + .qlref + .expected) for both queries.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
actions/ql/src/Security/CWE-798/NpmTokenInPublish.ql	New query to detect long-lived npm tokens used during publish steps.
actions/ql/src/Security/CWE-798/NpmTokenInPublish.md	Query help documenting risk + OIDC Trusted Publishing remediation guidance.
actions/ql/src/Security/CWE-353/MissingProvenanceFlag.ql	New query to detect npm publish without --provenance.
actions/ql/src/Security/CWE-353/MissingProvenanceFlag.md	Query help documenting provenance attestation and recommended workflow permissions.
actions/ql/test/query-tests/Security/CWE-798/NpmTokenInPublish.qlref	Registers the CWE-798 query for query-tests.
actions/ql/test/query-tests/Security/CWE-798/NpmTokenInPublish.expected	Expected results for npm-token-in-publish query-tests.
actions/ql/test/query-tests/Security/CWE-798/.github/workflows/npm-token-publish.yml	Positive test workflow cases for token-in-publish detections.
actions/ql/test/query-tests/Security/CWE-798/.github/workflows/npm-token-publish-safe.yml	Negative test workflow cases for token-in-publish.
actions/ql/test/query-tests/Security/CWE-353/MissingProvenanceFlag.qlref	Registers the CWE-353 query for query-tests.
actions/ql/test/query-tests/Security/CWE-353/MissingProvenanceFlag.expected	Expected results for missing-provenance-flag query-tests.
actions/ql/test/query-tests/Security/CWE-353/.github/workflows/npm-publish-with-provenance.yml	Negative test workflow cases (has --provenance).
actions/ql/test/query-tests/Security/CWE-353/.github/workflows/npm-publish-no-provenance.yml	Positive test workflow cases (missing --provenance).

Comments suppressed due to low confidence (1)

actions/ql/src/Security/CWE-798/NpmTokenInPublish.md:7

• The recommendation only mentions removing NODE_AUTH_TOKEN, but the query (and overview) also covers NPM_TOKEN. Consider updating the recommendation to cover both env vars / long-lived npm tokens in general.

Remove `NODE_AUTH_TOKEN` from the publish step. Configure npm Trusted Publishing (OIDC) on npmjs.com, pointing to this repository and workflow. This eliminates the need for long-lived tokens entirely.

[david-wiggs]

@copilot apply changes based on the comments in this thread