robojerk/codeql-action

Give only read-level security-events permission where possible

Browse source
This commit is contained in:
Henry Mercer 2025-01-24 13:24:20 +00:00
parent d39065943f
commit 9cd802ec12
58 changed files with 64 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/__all-platform-bundle.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: All-platform bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: "Analyze: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: autobuild-action
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Autobuild direct tracing (custom working directory)
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__autobuild-direct-tracing.yml generated vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Autobuild direct tracing
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-autobuild.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode autobuild
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-manual.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode manual
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-none.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Build mode none
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__build-mode-rollback.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode rollback
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cleanup-db-cluster-dir.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Clean up database cluster directory
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__config-export.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Config export
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__config-input.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Config input
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cpp-deptrace-disabled.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: 'C/C++: disabling autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cpp-deptrace-enabled-on-macos.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__cpp-deptrace-enabled.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: 'C/C++: autoinstalling dependencies (Linux)'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__diagnostics-export.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Diagnostic export
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Export file baseline information
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__extract-direct-to-toolcache.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Extract directly to toolcache
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Extractor ram and threads options test
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: 'Go: Custom queries'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: diagnostic when Go is changed after init step'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: diagnostic when `file` is not installed'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-indirect-tracing-workaround.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: workaround for indirect tracing'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with autobuilder step'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with custom build steps'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with legacy workflow'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Custom source root
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__job-run-uuid-sarif.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Job run UUID added to SARIF
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__language-aliases.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Language aliases
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: Multi-language repository
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config and input passed to the CLI'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config and input'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config file'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Action input'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__remote-config.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Remote config file
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__resolve-environment-action.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: Resolve environment
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: RuboCop multi-language
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__ruby.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Ruby analysis
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__split-workflow.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Split workflow
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__start-proxy.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Start proxy
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

3
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -36,7 +36,8 @@ jobs:
name: Submit SARIF after failure
permissions:
contents: read
security-events: write
security-events: write # needed to upload the SARIF file
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__swift-autobuild.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Swift analysis using autobuild
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Swift analysis using a custom build command
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Autobuild working directory
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Local CodeQL bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__test-proxy.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Proxy test
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__unset-environment.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Test unsetting environment variables
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: "Upload-sarif: 'ref' and 'sha' from inputs"
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Use a custom `checkout_path`
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__zstd-bundle-streaming.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Zstandard bundle (streaming)
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

2
.github/workflows/__zstd-bundle.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Zstandard bundle
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

5
.github/workflows/codeql.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
versions: ${{ steps.compare.outputs.versions }}
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
@ -80,7 +80,8 @@ jobs:
runs-on: ${{ matrix.os }}
permissions:
security-events: write
contents: read
security-events: write # needed to upload results
steps:
- name: Checkout

2
.github/workflows/codescanning-config-cli.yml vendored
View file

@ -26,7 +26,7 @@ jobs:
permissions:
contents: read
packages: read
security-events: write
security-events: read
strategy:
fail-fast: false

2
.github/workflows/expected-queries-runs.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
security-events: read
steps:
- name: Check out repository
uses: actions/checkout@v4

2
.github/workflows/pr-checks.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
timeout-minutes: 45
permissions:
contents: read
security-events: write
security-events: write # needed to upload ESLint results
strategy:
fail-fast: false

2
.github/workflows/test-codeql-bundle-all.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
name: 'CodeQL Bundle All'
permissions:
contents: read
security-events: write
security-events: read
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:

4
pr-checks/checks/submit-sarif-failure.yml
View file

@ -14,6 +14,10 @@ env:
# Mark telemetry for this workflow so it can be treated separately.
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
permissions:
contents: read
security-events: write # needed to upload the SARIF file
steps:
- uses: actions/checkout@v4
- uses: ./init

2
pr-checks/sync.py
View file

@ -126,7 +126,7 @@ for file in (this_dir / 'checks').glob('*.yml'):
'name': checkSpecification['name'],
'permissions': {
'contents': 'read',
'security-events': 'write'
'security-events': 'read'
},
'timeout-minutes': 45,
'runs-on': '${{ matrix.os }}',