Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Declare permissions #15493

Merged
merged 2 commits into from
Feb 15, 2024
Merged

Declare permissions #15493

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e468f40
use `github/codeql-action...@main`
jsoref Feb 12, 2024
b58c856
Declare permissions
jsoref Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/check-change-note.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Check change note

permissions:
pull-requests: read

on:
pull_request_target:
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-implicit-this.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jsoref marked this conversation as resolved.
Show resolved Hide resolved
jobs:
check:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-qldoc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
qldoc:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-query-ids.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- "rc/*"
workflow_dispatch:

permissions:
contents: read

jobs:
check:
name: Check query IDs
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/close-stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
schedule:
- cron: "30 1 * * *"

permissions:
issues: write

jobs:
stale:
if: github.repository == 'github/codeql'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/compile-queries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- "codeql-cli-*"
pull_request:

permissions:
contents: read

jobs:
compile-queries:
if: github.repository_owner == 'github'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csharp-qltest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ defaults:
run:
working-directory: csharp

permissions:
contents: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-metrics.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:
- ".github/workflows/csv-coverage-metrics.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read
security-events: write

jobs:
publish-java:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-artifacts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
- main
- "rc/*"

permissions:
contents: read
pull-requests: read

jobs:
generate:
name: Generate framework coverage artifacts
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
types:
- completed

permissions:
contents: read
pull-requests: write

jobs:
check:
name: Check framework coverage differences and comment
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage-timeseries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports
on:
workflow_dispatch:

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
schedule:
- cron: "0 0 * * *"

permissions:
contents: read
pull-requests: write

jobs:
update:
name: Update framework coverage report
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
description: "github/codeql repo SHA used for looking up the CSV models"
required: false

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/fast-forward.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,14 @@ name: Fast-forward tracking branch for selected CodeQL version
on:
workflow_dispatch:

permissions:
contents: write

jsoref marked this conversation as resolved.
Show resolved Hide resolved
jobs:
fast-forward:
name: Fast-forward tracking branch for selected CodeQL version
runs-on: ubuntu-latest
if: github.repository == 'github/codeql'
permissions:
contents: write
env:
BRANCH_NAME: 'lgtm.com'
steps:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/go-tests-other-os.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
- codeql-workspace.yml
env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-mac:
name: Test MacOS
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/go-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,13 @@ on:
- .github/workflows/go-tests.yml
- .github/actions/**
- codeql-workspace.yml

env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-linux:
if: github.repository_owner == 'github'
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@ name: "Pull Request Labeler"
on:
- pull_request_target

permissions:
contents: read
pull-requests: write

jsoref marked this conversation as resolved.
Show resolved Hide resolved
jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/mad_regenerate-models.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- ".github/workflows/mad_regenerate-models.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
regenerate-models:
runs-on: ubuntu-latest
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/ql-for-ql-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read
security-events: read

jobs:
analyze:
if: github.repository_owner == 'github'
Expand All @@ -20,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
Comment on lines -23 to +27
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aeisenberg says:

All of it really should be using @main since we want to test on the latest in case we break something.

with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down Expand Up @@ -66,7 +70,7 @@ jobs:
exclude:*/ql/lib/upgrades/
exclude:java/ql/integration-tests
- name: Upload sarif to code-scanning
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: ql-for-ql.sarif
category: ql-for-ql
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/ql-for-ql-dataset_measure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:
- ql/ql/src/ql.dbscheme
workflow_dispatch:

permissions:
contents: read
security-events: read

jobs:
measure:
env:
Expand All @@ -25,7 +29,7 @@ jobs:

- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/ql-for-ql-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,17 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read

jobs:
qltest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down Expand Up @@ -69,7 +72,7 @@ jobs:
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
- name: Find codeql
id: find-codeql
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@main
with:
languages: javascript # does not matter
- uses: ./.github/actions/os-version
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/query-list.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
- '.github/actions/fetch-codeql/action.yml'
- 'misc/scripts/generate-code-scanning-query-list.py'

permissions:
contents: read

jobs:
build:

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
build:
strategy:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-dataset-measure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
- .github/workflows/ruby-dataset-measure.yml
workflow_dispatch:

permissions:
contents: read

jobs:
measure:
env:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-qltest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ on:
- rc/*
- codeql-cli-*

permissions:
contents: read

jobs:
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/sync-files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- 'rc/*'

permissions:
contents: read

jobs:
sync:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/tree-sitter-extractor-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ defaults:
run:
working-directory: shared/tree-sitter-extractor

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/validate-change-notes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
- ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
check-change-note:
runs-on: ubuntu-latest
Expand Down
Loading