hohn/codeql-lab
1
0
Fork 0
mirror of https://github.com/hohn/codeql-lab.git synced 2025-12-16 09:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add permissions blocks to all workflows

Browse Source
This commit is contained in:
Andrew Eisenberg
2025-02-13 22:36:28 +00:00
parent 417dd23e5b
commit 63add52bba
3 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/check-submodule-pointers.yml vendored
View File

@@ -14,6 +14,9 @@ on:
schedule: schedule:
- cron: '42 12 * * *' - cron: '42 12 * * *'
permissions:
contents: read
jobs: jobs:
check-submodules: check-submodules:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -22,13 +25,13 @@ jobs:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Compare submodule pointers to lgtm.com branch - name: Compare submodule pointers to lgtm.com branch
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
CODEQL_ACTUAL_SHA="$(git rev-parse @:./ql)" CODEQL_ACTUAL_SHA="$(git rev-parse @:./ql)"
CODEQL_EXPECTED_SHA="$(gh api repos/github/codeql/git/ref/heads/lgtm.com --jq '.object.sha')" CODEQL_EXPECTED_SHA="$(gh api repos/github/codeql/git/ref/heads/lgtm.com --jq '.object.sha')"
echo "The ql submodule currently points to $CODEQL_ACTUAL_SHA. The tip of the lgtm.com branch of github/codeql is $CODEQL_EXPECTED_SHA." echo "The ql submodule currently points to $CODEQL_ACTUAL_SHA. The tip of the lgtm.com branch of github/codeql is $CODEQL_EXPECTED_SHA."
if [ "$CODEQL_EXPECTED_SHA" != "$CODEQL_ACTUAL_SHA" ]; then if [ "$CODEQL_EXPECTED_SHA" != "$CODEQL_ACTUAL_SHA" ]; then
echo "::error:: The ql submodule is out of date with the lgtm.com branch of github/codeql. Expected $CODEQL_EXPECTED_SHA, found $CODEQL_ACTUAL_SHA." echo "::error:: The ql submodule is out of date with the lgtm.com branch of github/codeql. Expected $CODEQL_EXPECTED_SHA, found $CODEQL_ACTUAL_SHA."
exit 1 exit 1
fi fi

3
.github/workflows/mirror-main-to-master.yml vendored
View File

@@ -6,6 +6,9 @@ on:
push: push:
branches: [ main ] branches: [ main ]
permissions:
contents: write
jobs: jobs:
mirror-main-to-master: mirror-main-to-master:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/report-failure.yml vendored
View File

@@ -15,7 +15,7 @@ jobs:
issues: write issues: write
steps: steps:
- name: Create issue - name: Create issue
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
WORKFLOW_RUN_URL: ${{ github.event.workflow_run.html_url }} WORKFLOW_RUN_URL: ${{ github.event.workflow_run.html_url }}
run: | run: |
@@ -24,4 +24,3 @@ jobs:
--repo "$GITHUB_REPOSITORY" \ --repo "$GITHUB_REPOSITORY" \
--title "Submodule pointers out of date: $TODAY" \ --title "Submodule pointers out of date: $TODAY" \
--body "Submodule pointer check failed: $WORKFLOW_RUN_URL" --body "Submodule pointer check failed: $WORKFLOW_RUN_URL"