Skip to content

Declare permissions #15493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 15, 2024
Merged

Declare permissions #15493

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e468f40
use `github/codeql-action...@main`
jsoref Feb 12, 2024
b58c856
Declare permissions
jsoref Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Declare permissions 
Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.
  • Loading branch information
@jsoref
jsoref committed Feb 14, 2024
commit b58c856756bd398ad5c548a38b72cc22574f5660
3 changes: 3 additions & 0 deletions .github/workflows/check-change-note.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Check change note

permissions:
pull-requests: read

on:
pull_request_target:
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-implicit-this.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
check:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-qldoc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
qldoc:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-query-ids.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- "rc/*"
workflow_dispatch:

permissions:
contents: read

jobs:
check:
name: Check query IDs
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/close-stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
schedule:
- cron: "30 1 * * *"

permissions:
issues: write

jobs:
stale:
if: github.repository == 'github/codeql'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/compile-queries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- "codeql-cli-*"
pull_request:

permissions:
contents: read

jobs:
compile-queries:
if: github.repository_owner == 'github'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csharp-qltest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ defaults:
run:
working-directory: csharp

permissions:
contents: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-metrics.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:
- ".github/workflows/csv-coverage-metrics.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read
security-events: write

jobs:
publish-java:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-artifacts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
- main
- "rc/*"

permissions:
contents: read
pull-requests: read

jobs:
generate:
name: Generate framework coverage artifacts
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
types:
- completed

permissions:
contents: read
pull-requests: write

jobs:
check:
name: Check framework coverage differences and comment
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage-timeseries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports
on:
workflow_dispatch:

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
schedule:
- cron: "0 0 * * *"

permissions:
contents: read
pull-requests: write

jobs:
update:
name: Update framework coverage report
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
description: "github/codeql repo SHA used for looking up the CSV models"
required: false

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/fast-forward.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,14 @@ name: Fast-forward tracking branch for selected CodeQL version
on:
workflow_dispatch:

permissions:
contents: write

jobs:
fast-forward:
name: Fast-forward tracking branch for selected CodeQL version
runs-on: ubuntu-latest
if: github.repository == 'github/codeql'
permissions:
contents: write
env:
BRANCH_NAME: 'lgtm.com'
steps:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/go-tests-other-os.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
- codeql-workspace.yml
env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-mac:
name: Test MacOS
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/go-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,13 @@ on:
- .github/workflows/go-tests.yml
- .github/actions/**
- codeql-workspace.yml

env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-linux:
if: github.repository_owner == 'github'
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@ name: "Pull Request Labeler"
on:
- pull_request_target

permissions:
contents: read
pull-requests: write

jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v4
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/mad_regenerate-models.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- ".github/workflows/mad_regenerate-models.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
regenerate-models:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ql-for-ql-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read
security-events: read

jobs:
analyze:
if: github.repository_owner == 'github'
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ql-for-ql-dataset_measure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:
- ql/ql/src/ql.dbscheme
workflow_dispatch:

permissions:
contents: read
security-events: read

jobs:
measure:
env:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ql-for-ql-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read

jobs:
qltest:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/query-list.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
- '.github/actions/fetch-codeql/action.yml'
- 'misc/scripts/generate-code-scanning-query-list.py'

permissions:
contents: read

jobs:
build:

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
build:
strategy:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-dataset-measure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
- .github/workflows/ruby-dataset-measure.yml
workflow_dispatch:

permissions:
contents: read

jobs:
measure:
env:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-qltest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ on:
- rc/*
- codeql-cli-*

permissions:
contents: read

jobs:
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/sync-files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- 'rc/*'

permissions:
contents: read

jobs:
sync:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/tree-sitter-extractor-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ defaults:
run:
working-directory: shared/tree-sitter-extractor

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/validate-change-notes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ on:
- ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
check-change-note:
runs-on: ubuntu-latest
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy