robojerk/codeql-action

Give only read-level security-events permission where possible

Browse source
This commit is contained in:
Henry Mercer 2025-01-24 13:24:20 +00:00
parent d39065943f
commit 9cd802ec12
58 changed files with 64 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/__all-platform-bundle.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: All-platform bundle name: All-platform bundle
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: "Analyze: 'ref' and 'sha' from inputs" name: "Analyze: 'ref' and 'sha' from inputs"
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: autobuild-action name: autobuild-action
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__autobuild-direct-tracing-with-working-dir.yml generated vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Autobuild direct tracing (custom working directory) name: Autobuild direct tracing (custom working directory)
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__autobuild-direct-tracing.yml generated vendored
View file

@ -38,7 +38,7 @@ jobs:
name: Autobuild direct tracing name: Autobuild direct tracing
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__build-mode-autobuild.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode autobuild name: Build mode autobuild
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__build-mode-manual.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode manual name: Build mode manual
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__build-mode-none.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Build mode none name: Build mode none
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__build-mode-rollback.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Build mode rollback name: Build mode rollback
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__cleanup-db-cluster-dir.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Clean up database cluster directory name: Clean up database cluster directory
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__config-export.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Config export name: Config export
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__config-input.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Config input name: Config input
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__cpp-deptrace-disabled.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: 'C/C++: disabling autoinstalling dependencies (Linux)' name: 'C/C++: disabling autoinstalling dependencies (Linux)'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__cpp-deptrace-enabled-on-macos.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'C/C++: autoinstalling dependencies is skipped (macOS)' name: 'C/C++: autoinstalling dependencies is skipped (macOS)'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__cpp-deptrace-enabled.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: 'C/C++: autoinstalling dependencies (Linux)' name: 'C/C++: autoinstalling dependencies (Linux)'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__diagnostics-export.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Diagnostic export name: Diagnostic export
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Export file baseline information name: Export file baseline information
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__extract-direct-to-toolcache.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Extract directly to toolcache name: Extract directly to toolcache
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Extractor ram and threads options test name: Extractor ram and threads options test
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: 'Go: Custom queries' name: 'Go: Custom queries'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: diagnostic when Go is changed after init step' name: 'Go: diagnostic when Go is changed after init step'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: diagnostic when `file` is not installed' name: 'Go: diagnostic when `file` is not installed'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-indirect-tracing-workaround.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: 'Go: workaround for indirect tracing' name: 'Go: workaround for indirect tracing'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with autobuilder step' name: 'Go: tracing with autobuilder step'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with custom build steps' name: 'Go: tracing with custom build steps'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: 'Go: tracing with legacy workflow' name: 'Go: tracing with legacy workflow'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Custom source root name: Custom source root
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__job-run-uuid-sarif.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Job run UUID added to SARIF name: Job run UUID added to SARIF
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__language-aliases.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Language aliases name: Language aliases
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -62,7 +62,7 @@ jobs:
name: Multi-language repository name: Multi-language repository
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config and input passed to the CLI' name: 'Packaging: Config and input passed to the CLI'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config and input' name: 'Packaging: Config and input'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Config file' name: 'Packaging: Config file'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: 'Packaging: Action input' name: 'Packaging: Action input'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__remote-config.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Remote config file name: Remote config file
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__resolve-environment-action.yml generated vendored
View file

@ -48,7 +48,7 @@ jobs:
name: Resolve environment name: Resolve environment
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: RuboCop multi-language name: RuboCop multi-language
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__ruby.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Ruby analysis name: Ruby analysis
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__split-workflow.yml generated vendored
View file

@ -42,7 +42,7 @@ jobs:
name: Split workflow name: Split workflow
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__start-proxy.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Start proxy name: Start proxy
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

3
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -36,7 +36,8 @@ jobs:
name: Submit SARIF after failure name: Submit SARIF after failure
permissions: permissions:
contents: read contents: read
security-events: write security-events: write # needed to upload the SARIF file
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__swift-autobuild.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Swift analysis using autobuild name: Swift analysis using autobuild
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Swift analysis using a custom build command name: Swift analysis using a custom build command
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Autobuild working directory name: Autobuild working directory
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -32,7 +32,7 @@ jobs:
name: Local CodeQL bundle name: Local CodeQL bundle
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__test-proxy.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Proxy test name: Proxy test
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__unset-environment.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Test unsetting environment variables name: Test unsetting environment variables
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: "Upload-sarif: 'ref' and 'sha' from inputs" name: "Upload-sarif: 'ref' and 'sha' from inputs"
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Use a custom `checkout_path` name: Use a custom `checkout_path`
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__zstd-bundle-streaming.yml generated vendored
View file

@ -34,7 +34,7 @@ jobs:
name: Zstandard bundle (streaming) name: Zstandard bundle (streaming)
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

2
.github/workflows/__zstd-bundle.yml generated vendored
View file

@ -36,7 +36,7 @@ jobs:
name: Zstandard bundle name: Zstandard bundle
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

5
.github/workflows/codeql.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
versions: ${{ steps.compare.outputs.versions }} versions: ${{ steps.compare.outputs.versions }}
permissions: permissions:
security-events: write contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -80,7 +80,8 @@ jobs:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
permissions: permissions:
security-events: write contents: read
security-events: write # needed to upload results
steps: steps:
- name: Checkout - name: Checkout

2
.github/workflows/codescanning-config-cli.yml vendored
View file

@ -26,7 +26,7 @@ jobs:
permissions: permissions:
contents: read contents: read
packages: read packages: read
security-events: write security-events: read
strategy: strategy:
fail-fast: false fail-fast: false

2
.github/workflows/expected-queries-runs.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
steps: steps:
- name: Check out repository - name: Check out repository
uses: actions/checkout@v4 uses: actions/checkout@v4

2
.github/workflows/pr-checks.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
timeout-minutes: 45 timeout-minutes: 45
permissions: permissions:
contents: read contents: read
security-events: write security-events: write # needed to upload ESLint results
strategy: strategy:
fail-fast: false fail-fast: false

2
.github/workflows/test-codeql-bundle-all.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
name: 'CodeQL Bundle All' name: 'CodeQL Bundle All'
permissions: permissions:
contents: read contents: read
security-events: write security-events: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:

4
pr-checks/checks/submit-sarif-failure.yml
View file

@ -14,6 +14,10 @@ env:
# Mark telemetry for this workflow so it can be treated separately. # Mark telemetry for this workflow so it can be treated separately.
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
permissions:
contents: read
security-events: write # needed to upload the SARIF file
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: ./init - uses: ./init

2
pr-checks/sync.py
View file

@ -126,7 +126,7 @@ for file in (this_dir / 'checks').glob('*.yml'):
'name': checkSpecification['name'], 'name': checkSpecification['name'],
'permissions': { 'permissions': {
'contents': 'read', 'contents': 'read',
'security-events': 'write' 'security-events': 'read'
}, },
'timeout-minutes': 45, 'timeout-minutes': 45,
'runs-on': '${{ matrix.os }}', 'runs-on': '${{ matrix.os }}',