Grant security-events: write permissions

2023-05-22 23:01:26 -04:00 · 2023-05-22 23:01:26 -04:00 · dba4f66682
commit dba4f66682
parent 8f9b20ba50
31 changed files with 95 additions and 4 deletions
--- a/.github/workflows/__analyze-ref-input.yml
+++ b/.github/workflows/__analyze-ref-input.yml
@ -68,6 +68,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: "Analyze: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__autobuild-action.yml
+++ b/.github/workflows/__autobuild-action.yml
@ -32,6 +32,9 @@ jobs:
        - os: windows-latest
          version: latest
    name: autobuild-action
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__config-export.yml
+++ b/.github/workflows/__config-export.yml
@ -38,6 +38,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: Config export
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__diagnostics-export.yml
+++ b/.github/workflows/__diagnostics-export.yml
@ -44,6 +44,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: Diagnostic export
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__export-file-baseline-information.yml
+++ b/.github/workflows/__export-file-baseline-information.yml
@ -32,6 +32,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: Export file baseline information
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__extractor-ram-threads.yml
+++ b/.github/workflows/__extractor-ram-threads.yml
@ -28,6 +28,9 @@ jobs:
        - os: ubuntu-latest
          version: latest
    name: Extractor ram and threads options test
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-custom-queries.yml
+++ b/.github/workflows/__go-custom-queries.yml
@ -68,6 +68,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: 'Go: Custom queries'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-tracing-autobuilder.yml
+++ b/.github/workflows/__go-tracing-autobuilder.yml
@ -54,6 +54,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: 'Go: tracing with autobuilder step'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-tracing-custom-build-steps.yml
+++ b/.github/workflows/__go-tracing-custom-build-steps.yml
@ -54,6 +54,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: 'Go: tracing with custom build steps'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__go-tracing-legacy-workflow.yml
+++ b/.github/workflows/__go-tracing-legacy-workflow.yml
@ -54,6 +54,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: 'Go: tracing with legacy workflow'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__init-with-registries.yml
+++ b/.github/workflows/__init-with-registries.yml
@ -44,6 +44,10 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Download using registries'
+    permissions:
+      contents: read
+      packages: read
+
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
@ -128,9 +132,5 @@ jobs:
            cat $QLCONFIG_PATH
            exit 1
        fi
-    permissions:
-      contents: read
-      packages: read
-
    env:
      CODEQL_ACTION_TEST_MODE: true
--- a/.github/workflows/__javascript-source-root.yml
+++ b/.github/workflows/__javascript-source-root.yml
@ -32,6 +32,9 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Custom source root
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__ml-powered-queries.yml
+++ b/.github/workflows/__ml-powered-queries.yml
@ -68,6 +68,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: ML-powered queries
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__multi-language-autodetect.yml
+++ b/.github/workflows/__multi-language-autodetect.yml
@ -54,6 +54,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Multi-language repository
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml
+++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml
@ -44,6 +44,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Config and input passed to the CLI'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-config-inputs-js.yml
+++ b/.github/workflows/__packaging-config-inputs-js.yml
@ -44,6 +44,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Config and input'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-config-js.yml
+++ b/.github/workflows/__packaging-config-js.yml
@ -44,6 +44,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Config file'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__packaging-inputs-js.yml
+++ b/.github/workflows/__packaging-inputs-js.yml
@ -44,6 +44,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: 'Packaging: Action input'
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__remote-config.yml
+++ b/.github/workflows/__remote-config.yml
@ -68,6 +68,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: Remote config file
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__rubocop-multi-language.yml
+++ b/.github/workflows/__rubocop-multi-language.yml
@ -28,6 +28,9 @@ jobs:
        - os: ubuntu-latest
          version: cached
    name: RuboCop multi-language
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__ruby.yml
+++ b/.github/workflows/__ruby.yml
@ -38,6 +38,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Ruby analysis
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__split-workflow.yml
+++ b/.github/workflows/__split-workflow.yml
@ -38,6 +38,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Split workflow
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__submit-sarif-failure.yml
+++ b/.github/workflows/__submit-sarif-failure.yml
@ -32,6 +32,9 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Submit SARIF after failure
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__swift-custom-build.yml
+++ b/.github/workflows/__swift-custom-build.yml
@ -38,6 +38,9 @@ jobs:
        - os: macos-latest
          version: nightly-latest
    name: Swift analysis using a custom build command
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__test-autobuild-working-dir.yml
+++ b/.github/workflows/__test-autobuild-working-dir.yml
@ -28,6 +28,9 @@ jobs:
        - os: ubuntu-latest
          version: latest
    name: Autobuild working directory
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__test-local-codeql.yml
+++ b/.github/workflows/__test-local-codeql.yml
@ -28,6 +28,9 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Local CodeQL bundle
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__test-proxy.yml
+++ b/.github/workflows/__test-proxy.yml
@ -28,6 +28,9 @@ jobs:
        - os: ubuntu-latest
          version: latest
    name: Proxy test
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__unset-environment.yml
+++ b/.github/workflows/__unset-environment.yml
@ -40,6 +40,9 @@ jobs:
        - os: ubuntu-latest
          version: nightly-latest
    name: Test unsetting environment variables
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__upload-ref-sha-input.yml
+++ b/.github/workflows/__upload-ref-sha-input.yml
@ -68,6 +68,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: "Upload-sarif: 'ref' and 'sha' from inputs"
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/.github/workflows/__with-checkout-path.yml
+++ b/.github/workflows/__with-checkout-path.yml
@ -68,6 +68,9 @@ jobs:
        - os: windows-latest
          version: nightly-latest
    name: Use a custom `checkout_path`
+    permissions:
+      contents: read
+      security-events: write
    timeout-minutes: 45
    runs-on: ${{ matrix.os }}
    steps:
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@ -101,6 +101,10 @@ for file in os.listdir('checks'):
            }
        },
        'name': checkSpecification['name'],
+        'permissions': {
+            'contents': 'read',
+            'security-events': 'write'
+        },
        'timeout-minutes': 45,
        'runs-on': '${{ matrix.os }}',
        'steps': steps,