[Actions] Unpinned actions in same organization or same enterprise incorrectly trigger actions/unpinned-tag

[ebickle]

Description of the false positive

The CodeQL rule actions/unpinned-tag (Unpinned tag for a non-immutable Action in workflow) triggers for actions in the same organization or the same enterprise.

The description for the rule states "Unpinned 3rd party Action", which in our case triggered for an action in the same organization. Actions within the same owner, org, or enterprise are not 3rd party actions or untrusted.

Code samples or links to source code

The issue can be reproduced by:

1. Create the repository sample-actions in the same org (or enterprise)
2. Add an action to the sample-actions repository and tag the commit as `v1.
3. In a different repository, add a workflow that references the new action:

   - uses: same-org/sample-actions@v1
   

[ebickle]

As far as I know, CodeQL rules only look at the code - not the operating environment - so fixing this could be tricky. One idea I had is that the rule could be modified to only apply to actions in a 'public' repository. That way the rule would only need to look at public information on GitHub without any need to authenticate with an enterprise or organization.