robojerk/codeql-action

Add missing permissions

Browse source
This commit is contained in:
Henry Mercer 2025-01-24 13:21:05 +00:00
parent 1645dbd3bf
commit d39065943f
13 changed files with 53 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/check-expected-release-files.yml vendored
View file

@ -13,6 +13,9 @@ jobs:
check-expected-release-files: check-expected-release-files:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: Checkout CodeQL Action - name: Checkout CodeQL Action
uses: actions/checkout@v4 uses: actions/checkout@v4

5
.github/workflows/codescanning-config-cli.yml vendored
View file

@ -23,6 +23,11 @@ jobs:
code-scanning-config-tests: code-scanning-config-tests:
continue-on-error: true continue-on-error: true
permissions:
contents: read
packages: read
security-events: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:

4
.github/workflows/debug-artifacts-failure.yml vendored
View file

@ -23,6 +23,8 @@ jobs:
continue-on-error: true continue-on-error: true
env: env:
CODEQL_ACTION_TEST_MODE: true CODEQL_ACTION_TEST_MODE: true
permissions:
contents: read
timeout-minutes: 45 timeout-minutes: 45
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -58,6 +60,8 @@ jobs:
name: Download and check debug artifacts after failure in analyze name: Download and check debug artifacts after failure in analyze
needs: upload-artifacts needs: upload-artifacts
timeout-minutes: 45 timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Download all artifacts - name: Download all artifacts

4
.github/workflows/debug-artifacts.yml vendored
View file

@ -34,6 +34,8 @@ jobs:
env: env:
CODEQL_ACTION_TEST_MODE: true CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45 timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check out repository - name: Check out repository
@ -64,6 +66,8 @@ jobs:
name: Download and check debug artifacts name: Download and check debug artifacts
needs: upload-artifacts needs: upload-artifacts
timeout-minutes: 45 timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Download all artifacts - name: Download all artifacts

3
.github/workflows/post-release-mergeback.yml vendored
View file

@ -27,6 +27,9 @@ jobs:
BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}" BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
HEAD_BRANCH: "${{ github.head_ref || github.ref }}" HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
permissions:
contents: write # needed to create tags and push commits
steps: steps:
- name: Dump environment - name: Dump environment
run: env run: env

9
.github/workflows/pr-checks.yml vendored
View file

@ -40,6 +40,8 @@ jobs:
check-node-modules: check-node-modules:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check modules up to date name: Check modules up to date
permissions:
contents: read
runs-on: macos-latest runs-on: macos-latest
timeout-minutes: 45 timeout-minutes: 45
@ -51,6 +53,8 @@ jobs:
check-file-contents: check-file-contents:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check file contents name: Check file contents
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 45 timeout-minutes: 45
@ -81,6 +85,8 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
os: [ubuntu-latest, macos-latest, windows-latest] os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
contents: read
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
timeout-minutes: 45 timeout-minutes: 45
@ -101,6 +107,9 @@ jobs:
env: env:
BASE_REF: ${{ github.base_ref }} BASE_REF: ${{ github.base_ref }}
permissions:
contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- id: head-version - id: head-version

2
.github/workflows/python312-windows.yml vendored
View file

@ -17,6 +17,8 @@ jobs:
env: env:
CODEQL_ACTION_TEST_MODE: true CODEQL_ACTION_TEST_MODE: true
timeout-minutes: 45 timeout-minutes: 45
permissions:
contents: read
runs-on: windows-latest runs-on: windows-latest
steps: steps:

2
.github/workflows/query-filters.yml vendored
View file

@ -19,6 +19,8 @@ jobs:
query-filters: query-filters:
name: Query Filters Tests name: Query Filters Tests
timeout-minutes: 45 timeout-minutes: 45
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check out repository - name: Check out repository

3
.github/workflows/rebuild.yml vendored
View file

@ -11,6 +11,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.event.label.name == 'Rebuild' if: github.event.label.name == 'Rebuild'
permissions:
contents: write # needed to push rebuilt commit
pull-requests: write # needed to comment on the PR
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4

3
.github/workflows/update-bundle.yml vendored
View file

@ -17,6 +17,9 @@ jobs:
update-bundle: update-bundle:
if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-') if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull requests
steps: steps:
- name: Dump environment - name: Dump environment
run: env run: env

3
.github/workflows/update-dependencies.yml vendored
View file

@ -9,6 +9,9 @@ jobs:
timeout-minutes: 45 timeout-minutes: 45
runs-on: macos-latest runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action') if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
permissions:
contents: write # needed to push the updated dependencies
pull-requests: write # needed to comment on the PR
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4

8
.github/workflows/update-release-branch.yml vendored
View file

@ -22,6 +22,8 @@ jobs:
latest_tag: ${{ steps.versions.outputs.latest_tag }} latest_tag: ${{ steps.versions.outputs.latest_tag }}
backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }} backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }} backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
permissions:
contents: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
@ -63,6 +65,9 @@ jobs:
REPOSITORY: "${{ github.repository }}" REPOSITORY: "${{ github.repository }}"
MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}" MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}" LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
@ -114,6 +119,9 @@ jobs:
env: env:
SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }} SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
TARGET_BRANCH: ${{ matrix.target_branch }} TARGET_BRANCH: ${{ matrix.target_branch }}
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps: steps:
- name: Generate token - name: Generate token
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755

5
.github/workflows/update-supported-enterprise-server-versions.yml vendored
View file

@ -10,7 +10,10 @@ jobs:
name: Update Supported Enterprise Server Versions name: Update Supported Enterprise Server Versions
timeout-minutes: 45 timeout-minutes: 45
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.repository == 'github/codeql-action' }} if: github.repository == 'github/codeql-action'
permissions:
contents: write # needed to push commits
pull-requests: write # needed to create pull request
steps: steps:
- name: Setup Python - name: Setup Python