Skip to content

Commit

Permalink
Merge pull request #15493 from jsoref/declare-permissions
Browse files Browse the repository at this point in the history
Declare permissions in workflows
  • Loading branch information
angelapwen authored Feb 15, 2024
2 parents f4c9052 + b58c856 commit 0643184
Show file tree
Hide file tree
Showing 29 changed files with 102 additions and 10 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/check-change-note.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Check change note

permissions:
pull-requests: read

on:
pull_request_target:
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-implicit-this.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
check:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-qldoc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
qldoc:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-query-ids.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- "rc/*"
workflow_dispatch:

permissions:
contents: read

jobs:
check:
name: Check query IDs
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/close-stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
schedule:
- cron: "30 1 * * *"

permissions:
issues: write

jobs:
stale:
if: github.repository == 'github/codeql'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/compile-queries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- "codeql-cli-*"
pull_request:

permissions:
contents: read

jobs:
compile-queries:
if: github.repository_owner == 'github'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csharp-qltest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ defaults:
run:
working-directory: csharp

permissions:
contents: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-metrics.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:
- ".github/workflows/csv-coverage-metrics.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read
security-events: write

jobs:
publish-java:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
- main
- "rc/*"

permissions:
contents: read
pull-requests: read

jobs:
generate:
name: Generate framework coverage artifacts
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-comment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
types:
- completed

permissions:
contents: read
pull-requests: write

jobs:
check:
name: Check framework coverage differences and comment
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage-timeseries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports
on:
workflow_dispatch:

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
schedule:
- cron: "0 0 * * *"

permissions:
contents: read
pull-requests: write

jobs:
update:
name: Update framework coverage report
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
description: "github/codeql repo SHA used for looking up the CSV models"
required: false

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/fast-forward.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,14 @@ name: Fast-forward tracking branch for selected CodeQL version
on:
workflow_dispatch:

permissions:
contents: write

jobs:
fast-forward:
name: Fast-forward tracking branch for selected CodeQL version
runs-on: ubuntu-latest
if: github.repository == 'github/codeql'
permissions:
contents: write
env:
BRANCH_NAME: 'lgtm.com'
steps:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/go-tests-other-os.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
- codeql-workspace.yml
env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-mac:
name: Test MacOS
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,13 @@ on:
- .github/workflows/go-tests.yml
- .github/actions/**
- codeql-workspace.yml

env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-linux:
if: github.repository_owner == 'github'
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@ name: "Pull Request Labeler"
on:
- pull_request_target

permissions:
contents: read
pull-requests: write

jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/mad_regenerate-models.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- ".github/workflows/mad_regenerate-models.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
regenerate-models:
runs-on: ubuntu-latest
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/ql-for-ql-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read
security-events: read

jobs:
analyze:
if: github.repository_owner == 'github'
Expand All @@ -20,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down Expand Up @@ -66,7 +70,7 @@ jobs:
exclude:*/ql/lib/upgrades/
exclude:java/ql/integration-tests
- name: Upload sarif to code-scanning
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: ql-for-ql.sarif
category: ql-for-ql
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/ql-for-ql-dataset_measure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:
- ql/ql/src/ql.dbscheme
workflow_dispatch:

permissions:
contents: read
security-events: read

jobs:
measure:
env:
Expand All @@ -25,7 +29,7 @@ jobs:

- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/ql-for-ql-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,17 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read

jobs:
qltest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down Expand Up @@ -69,7 +72,7 @@ jobs:
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/query-list.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
- '.github/actions/fetch-codeql/action.yml'
- 'misc/scripts/generate-code-scanning-query-list.py'

permissions:
contents: read

jobs:
build:

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
build:
strategy:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-dataset-measure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
- .github/workflows/ruby-dataset-measure.yml
workflow_dispatch:

permissions:
contents: read

jobs:
measure:
env:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-qltest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/swift.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ on:
- rc/*
- codeql-cli-*

permissions:
contents: read

jobs:
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/sync-files.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- 'rc/*'

permissions:
contents: read

jobs:
sync:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/tree-sitter-extractor-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ defaults:
run:
working-directory: shared/tree-sitter-extractor

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/validate-change-notes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
- ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
check-change-note:
runs-on: ubuntu-latest
Expand Down

0 comments on commit 0643184

Please sign in to comment.