Document what permissions are required

[brettcannon]

We switched our repo to the default read-only permissions for GitHub Actions and our CodeQL workflow started to fail. Based on the failure message it seems the statuses: write permission is required.

P.S. Sorry to file an issue when the issue template selector only says to open an issue with GitHub Support, but none of the options really made sense since there's not "issues with a GitHub project" option.

[aeisenberg]

Thanks, @brettcannon! Let me look at that.

We should also revisit our issue templates.

[aeisenberg]

As far as I can tell, if you are using the default workflow, you should only need the following permissions:

    permissions:
      contents: read
      security-events: write
      pull-requests: read

Is your workflow doing anything special?

[The-Compiler]

@aeisenberg I'm not entirely sure if you're aware (apologies if you are!), but there was a recent change which allows restricting the default GitHub secret to read-only access.

This seems like an excellent best practice to follow (principle of least privilege), but indeed the CodeQL action fails with a non-obvious error message:

[...]
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/qutebrowser/qutebrowser/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL Action octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: [...]
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

like @brettcannon I initially suspected it'd need statuses: write (based on the API URL used), but that didn't help.

Indeed just setting:

permissions:
  security-events: write

seemed to fix this for me, but I probably wouldn't have found if it wasn't for this issue.

[brettcannon]

@aeisenberg It's the vanilla workflow with just the languages we don't use left out: https://github.com/microsoft/vscode-python/blob/main/.github/workflows/codeql-analysis.yml.

But you and the @The-Compiler have the solution I was after and couldn't find in the docs! We have flipped all of our repos to the read-only access on workflows, hence the sudden failure (thanks for the forcing function, codecov 😉 ).

[aeisenberg]

Glad this worked out for you. We've recently (ie- yesterday) moved over to using permissions on our own repositories and workflows, so we are still figuring this out ourselves.

It sounds like the best solution here is to update the documentation.

[aeisenberg]

It's possible that you will also need the: actions: read permission. Some code flows will make requests to introspect the current workflow and this permission is needed. So, if you get any more failures, try adding that permission as well.

[jaqx0r]

I too came looking for the correct permissions to lock down a codeql workflow to, and think that all you need here is to put the suggestion from #464 (comment) or even #464 (comment) in the example in the README and the default template and you'll have resolved this issue.

[aeisenberg]

README is updated, but we haven't made changes yet to the suggested workflows.