Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: trim permissions for codeql-analysis action #10839

Merged
merged 3 commits into from
Jul 14, 2021
Merged

ci: trim permissions for codeql-analysis action #10839

merged 3 commits into from
Jul 14, 2021

Conversation

HonkingGoose
Copy link
Collaborator

Changes:

  • Trim permissions for codeql-analysis.yml

Context:

I think we can tighten down our permissions for the CodeQL action as well.
There's no official documentation in their README yet, but I did find this issue: github/codeql-action#464

Please read the linked issue before reviewing my PR, maybe I'm missing something important from that discussion!

In that issue a contributor to the project says:

As far as I can tell, if you are using the default workflow, you should only need the following permissions:

    permissions:
      contents: read
      security-events: write
      pull-requests: read

Is your workflow doing anything special?

I figured, we can try these permissions.

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please tick one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@viceice
Copy link
Member

viceice commented Jul 14, 2021

I'm not sure if we really need this, as this are all primary actions 🤔

rarkins
rarkins previously approved these changes Jul 14, 2021
View reviewed changes
@HonkingGoose
Copy link
Collaborator Author

I'm not sure if we really need this, as this are all primary actions 🤔

What do you think @rarkins?

viceice
viceice previously approved these changes Jul 14, 2021
View reviewed changes
@rarkins
Copy link
Collaborator

rarkins commented Jul 14, 2021

It's still best practice, but hopefully never needed

@HonkingGoose HonkingGoose marked this pull request as ready for review July 14, 2021 11:27
@HonkingGoose
Copy link
Collaborator Author

I'd say we're ready to merge and see what happens, I think this is OK, but you can never be sure until you actually run it...

If the action breaks somehow after the merge, we can try out this suggestion from a collaborator:

It's possible that you will also need the: actions: read permission. Some code flows will make requests to introspect the current workflow and this permission is needed. So, if you get any more failures, try adding that permission as well.

github/codeql-action#464 (comment)

@viceice viceice dismissed stale reviews from rarkins and themself via e6e2f13 July 14, 2021 12:03
@rarkins rarkins merged commit 5279c24 into renovatebot:main Jul 14, 2021
@HonkingGoose HonkingGoose deleted the patch-1 branch July 14, 2021 12:17
@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 25.56.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@viceice viceice viceice approved these changes

@rarkins rarkins rarkins left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HonkingGoose @viceice @rarkins @renovate-release