robojerk/codeql-action

Merge branch 'main' into mergeback/v3.28.5-to-main-f6091c01

Browse source
This commit is contained in:
Henry Mercer 2025-01-24 16:39:07 +00:00 committed by GitHub
commit 4b8aeabbe4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
68 changed files with 114 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/__all-platform-bundle.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: All-platform bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: "Analyze: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: autobuild-action
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Autobuild direct tracing (custom working directory)
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__autobuild-direct-tracing.yml generated vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Autobuild direct tracing
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-autobuild.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode autobuild
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-manual.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode manual
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-none.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Build mode none
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-rollback.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode rollback
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cleanup-db-cluster-dir.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Clean up database cluster directory
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__config-export.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Config export
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__config-input.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Config input
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cpp-deptrace-disabled.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: 'C/C++: disabling autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cpp-deptrace-enabled-on-macos.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cpp-deptrace-enabled.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: 'C/C++: autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__diagnostics-export.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Diagnostic export
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Export file baseline information
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__extract-direct-to-toolcache.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Extract directly to toolcache
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Extractor ram and threads options test
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: 'Go: Custom queries'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: diagnostic when Go is changed after init step'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: diagnostic when `file` is not installed'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-indirect-tracing-workaround.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: workaround for indirect tracing'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with autobuilder step'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with custom build steps'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with legacy workflow'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Custom source root
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__job-run-uuid-sarif.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Job run UUID added to SARIF
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__language-aliases.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Language aliases
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: Multi-language repository
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config and input passed to the CLI'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config and input'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config file'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Action input'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__remote-config.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Remote config file
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__resolve-environment-action.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: Resolve environment
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: RuboCop multi-language
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__ruby.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Ruby analysis
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__split-workflow.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Split workflow
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__start-proxy.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Start proxy
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

3
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -36,7 +36,8 @@ jobs:
name: Submit SARIF after failure
permissions:
contents: read
security-events: write
security-events: write # needed to upload the SARIF file
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__swift-autobuild.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Swift analysis using autobuild
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Swift analysis using a custom build command
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Autobuild working directory
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Local CodeQL bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__test-proxy.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Proxy test
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__unset-environment.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Test unsetting environment variables
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: "Upload-sarif: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Use a custom `checkout_path`
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__zstd-bundle-streaming.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Zstandard bundle (streaming)
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__zstd-bundle.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Zstandard bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

3
.github/workflows/check-expected-release-files.yml vendored
View file

@ -13,6 +13,9 @@ jobs:
check-expected-release-files:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout CodeQL Action
uses: actions/checkout@v4

5
.github/workflows/codeql.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
versions: ${{ steps.compare.outputs.versions }}
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
@ -80,7 +80,8 @@ jobs:
runs-on: ${{ matrix.os }}
permissions:
security-events: write
contents: read
security-events: write # needed to upload results
steps:
- name: Checkout

5
.github/workflows/codescanning-config-cli.yml vendored
View file

@ -23,6 +23,11 @@ jobs:
code-scanning-config-tests:
continue-on-error: true
permissions:
contents: read
packages: read
security-events: read
strategy:
fail-fast: false
matrix:

4
.github/workflows/debug-artifacts-failure.yml vendored
View file

@ -23,6 +23,8 @@ jobs:
continue-on-error: true
env:
CODEQL_ACTION_TEST_MODE: true
permissions:
contents: read
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
@ -58,6 +60,8 @@ jobs:
name: Download and check debug artifacts after failure in analyze
needs: upload-artifacts
timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Download all artifacts

4
.github/workflows/debug-artifacts.yml vendored
View file

@ -34,6 +34,8 @@ jobs:
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Check out repository
@ -64,6 +66,8 @@ jobs:
name: Download and check debug artifacts
needs: upload-artifacts
timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Download all artifacts

2
.github/workflows/expected-queries-runs.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
security-events: read
steps:
- name: Check out repository
uses: actions/checkout@v4

3
.github/workflows/post-release-mergeback.yml vendored
View file

@ -27,6 +27,9 @@ jobs:
BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
permissions:
contents: write # needed to create tags and push commits
steps:
- name: Dump environment
run: env

11
.github/workflows/pr-checks.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
timeout-minutes: 45
permissions:
contents: read
security-events: write
security-events: write # needed to upload ESLint results
strategy:
fail-fast: false
@ -40,6 +40,8 @@ jobs:
check-node-modules:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check modules up to date
permissions:
contents: read
runs-on: macos-latest
timeout-minutes: 45
@ -51,6 +53,8 @@ jobs:
check-file-contents:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check file contents
permissions:
contents: read
runs-on: ubuntu-latest
timeout-minutes: 45
@ -81,6 +85,8 @@ jobs:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
contents: read
runs-on: ${{ matrix.os }}
timeout-minutes: 45
@ -101,6 +107,9 @@ jobs:
env:
BASE_REF: ${{ github.base_ref }}
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- id: head-version

2
.github/workflows/python312-windows.yml vendored
View file

@ -17,6 +17,8 @@ jobs:
env:
CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45
permissions:
contents: read
runs-on: windows-latest
steps:

3
.github/workflows/rebuild.yml vendored
View file

@ -11,6 +11,9 @@ jobs:
runs-on: ubuntu-latest
if: github.event.label.name == 'Rebuild'
permissions:
contents: write # needed to push rebuilt commit
pull-requests: write # needed to comment on the PR
steps:
- name: Checkout
uses: actions/checkout@v4

2
.github/workflows/test-codeql-bundle-all.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
name: 'CodeQL Bundle All'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

3
.github/workflows/update-bundle.yml vendored
View file

@ -17,6 +17,9 @@ jobs:
update-bundle:
if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-latest
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull requests
steps:
- name: Dump environment
run: env

3
.github/workflows/update-dependencies.yml vendored
View file

@ -9,6 +9,9 @@ jobs:
timeout-minutes: 45
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
permissions:
contents: write # needed to push the updated dependencies
pull-requests: write # needed to comment on the PR
steps:
- name: Checkout repository
uses: actions/checkout@v4

8
.github/workflows/update-release-branch.yml vendored
View file

@ -22,6 +22,8 @@ jobs:
latest_tag: ${{ steps.versions.outputs.latest_tag }}
backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
@ -63,6 +65,9 @@ jobs:
REPOSITORY: "${{ github.repository }}"
MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps:
- uses: actions/checkout@v4
with:
@ -114,6 +119,9 @@ jobs:
env:
SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
TARGET_BRANCH: ${{ matrix.target_branch }}
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps:
- name: Generate token
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755

5
.github/workflows/update-supported-enterprise-server-versions.yml vendored
View file

@ -10,7 +10,10 @@ jobs:
name: Update Supported Enterprise Server Versions
timeout-minutes: 45
runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }}
if: github.repository == 'github/codeql-action'
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps:
- name: Setup Python

4
pr-checks/checks/submit-sarif-failure.yml
View file

@ -14,6 +14,10 @@ env:
# Mark telemetry for this workflow so it can be treated separately.
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
permissions:
contents: read
security-events: write # needed to upload the SARIF file
steps:
- uses: actions/checkout@v4
- uses: ./init

2
pr-checks/sync.py
View file

@ -126,7 +126,7 @@ for file in (this_dir / 'checks').glob('*.yml'):
'name': checkSpecification['name'],
'permissions': {
'contents': 'read',
'security-events': 'write'
'security-events': 'read'
},
'timeout-minutes': 45,
'runs-on': '${{ matrix.os }}',