diff --git a/.github/workflows/check-submodule-pointers.yml b/.github/workflows/check-submodule-pointers.yml index 378d2e9..4eca1a1 100644 --- a/.github/workflows/check-submodule-pointers.yml +++ b/.github/workflows/check-submodule-pointers.yml @@ -14,6 +14,9 @@ on: schedule: - cron: '42 12 * * *' +permissions: + contents: read + jobs: check-submodules: runs-on: ubuntu-latest @@ -22,13 +25,13 @@ jobs: - uses: actions/checkout@v3 - name: Compare submodule pointers to lgtm.com branch - env: + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | CODEQL_ACTUAL_SHA="$(git rev-parse @:./ql)" CODEQL_EXPECTED_SHA="$(gh api repos/github/codeql/git/ref/heads/lgtm.com --jq '.object.sha')" echo "The ql submodule currently points to $CODEQL_ACTUAL_SHA. The tip of the lgtm.com branch of github/codeql is $CODEQL_EXPECTED_SHA." - if [ "$CODEQL_EXPECTED_SHA" != "$CODEQL_ACTUAL_SHA" ]; then + if [ "$CODEQL_EXPECTED_SHA" != "$CODEQL_ACTUAL_SHA" ]; then echo "::error:: The ql submodule is out of date with the lgtm.com branch of github/codeql. Expected $CODEQL_EXPECTED_SHA, found $CODEQL_ACTUAL_SHA." exit 1 fi diff --git a/.github/workflows/mirror-main-to-master.yml b/.github/workflows/mirror-main-to-master.yml index 885da02..f16cd10 100644 --- a/.github/workflows/mirror-main-to-master.yml +++ b/.github/workflows/mirror-main-to-master.yml @@ -6,6 +6,9 @@ on: push: branches: [ main ] +permissions: + contents: write + jobs: mirror-main-to-master: runs-on: ubuntu-latest diff --git a/.github/workflows/report-failure.yml b/.github/workflows/report-failure.yml index 14fc02d..951d5a7 100644 --- a/.github/workflows/report-failure.yml +++ b/.github/workflows/report-failure.yml @@ -15,7 +15,7 @@ jobs: issues: write steps: - name: Create issue - env: + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} WORKFLOW_RUN_URL: ${{ github.event.workflow_run.html_url }} run: | @@ -24,4 +24,3 @@ jobs: --repo "$GITHUB_REPOSITORY" \ --title "Submodule pointers out of date: $TODAY" \ --body "Submodule pointer check failed: $WORKFLOW_RUN_URL" -