From b58c856756bd398ad5c548a38b72cc22574f5660 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 31 Jan 2024 03:31:54 -0500 Subject: [PATCH] Declare permissions Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably. --- .github/workflows/check-change-note.yml | 3 +++ .github/workflows/check-implicit-this.yml | 3 +++ .github/workflows/check-qldoc.yml | 3 +++ .github/workflows/check-query-ids.yml | 3 +++ .github/workflows/close-stale.yml | 3 +++ .github/workflows/compile-queries.yml | 3 +++ .github/workflows/csharp-qltest.yml | 3 +++ .github/workflows/csv-coverage-metrics.yml | 4 ++++ .github/workflows/csv-coverage-pr-artifacts.yml | 4 ++++ .github/workflows/csv-coverage-pr-comment.yml | 4 ++++ .github/workflows/csv-coverage-timeseries.yml | 3 +++ .github/workflows/csv-coverage-update.yml | 4 ++++ .github/workflows/csv-coverage.yml | 3 +++ .github/workflows/fast-forward.yml | 5 +++-- .github/workflows/go-tests-other-os.yml | 4 ++++ .github/workflows/go-tests.yml | 5 +++++ .github/workflows/labeler.yml | 7 ++++--- .github/workflows/mad_regenerate-models.yml | 3 +++ .github/workflows/ql-for-ql-build.yml | 4 ++++ .github/workflows/ql-for-ql-dataset_measure.yml | 4 ++++ .github/workflows/ql-for-ql-tests.yml | 3 +++ .github/workflows/query-list.yml | 3 +++ .github/workflows/ruby-build.yml | 3 +++ .github/workflows/ruby-dataset-measure.yml | 3 +++ .github/workflows/ruby-qltest.yml | 3 +++ .github/workflows/swift.yml | 3 +++ .github/workflows/sync-files.yml | 3 +++ .github/workflows/tree-sitter-extractor-test.yml | 3 +++ .github/workflows/validate-change-notes.yml | 3 +++ 29 files changed, 97 insertions(+), 5 deletions(-) diff --git a/.github/workflows/check-change-note.yml b/.github/workflows/check-change-note.yml index e701090420d..026408a028d 100644 --- a/.github/workflows/check-change-note.yml +++ b/.github/workflows/check-change-note.yml @@ -1,5 +1,8 @@ name: Check change note +permissions: + pull-requests: read + on: pull_request_target: types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review] diff --git a/.github/workflows/check-implicit-this.yml b/.github/workflows/check-implicit-this.yml index 14100ed3325..f58db399ccb 100644 --- a/.github/workflows/check-implicit-this.yml +++ b/.github/workflows/check-implicit-this.yml @@ -9,6 +9,9 @@ on: - main - "rc/*" +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-qldoc.yml b/.github/workflows/check-qldoc.yml index 7996123e9bf..e64d661c791 100644 --- a/.github/workflows/check-qldoc.yml +++ b/.github/workflows/check-qldoc.yml @@ -10,6 +10,9 @@ on: - main - "rc/*" +permissions: + contents: read + jobs: qldoc: runs-on: ubuntu-latest diff --git a/.github/workflows/check-query-ids.yml b/.github/workflows/check-query-ids.yml index 9e84fe0b0e3..8ae19cc3e5f 100644 --- a/.github/workflows/check-query-ids.yml +++ b/.github/workflows/check-query-ids.yml @@ -11,6 +11,9 @@ on: - "rc/*" workflow_dispatch: +permissions: + contents: read + jobs: check: name: Check query IDs diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml index a9e0d276308..1c74ede8bf6 100644 --- a/.github/workflows/close-stale.yml +++ b/.github/workflows/close-stale.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "30 1 * * *" +permissions: + issues: write + jobs: stale: if: github.repository == 'github/codeql' diff --git a/.github/workflows/compile-queries.yml b/.github/workflows/compile-queries.yml index bc8a9f8666d..7176c6c1a50 100644 --- a/.github/workflows/compile-queries.yml +++ b/.github/workflows/compile-queries.yml @@ -8,6 +8,9 @@ on: - "codeql-cli-*" pull_request: +permissions: + contents: read + jobs: compile-queries: if: github.repository_owner == 'github' diff --git a/.github/workflows/csharp-qltest.yml b/.github/workflows/csharp-qltest.yml index cc9520de0e2..557354e96de 100644 --- a/.github/workflows/csharp-qltest.yml +++ b/.github/workflows/csharp-qltest.yml @@ -25,6 +25,9 @@ defaults: run: working-directory: csharp +permissions: + contents: read + jobs: qlupgrade: runs-on: ubuntu-latest diff --git a/.github/workflows/csv-coverage-metrics.yml b/.github/workflows/csv-coverage-metrics.yml index e24c6bc74a4..6f1170047bf 100644 --- a/.github/workflows/csv-coverage-metrics.yml +++ b/.github/workflows/csv-coverage-metrics.yml @@ -14,6 +14,10 @@ on: - ".github/workflows/csv-coverage-metrics.yml" - ".github/actions/fetch-codeql/action.yml" +permissions: + contents: read + security-events: write + jobs: publish-java: runs-on: ubuntu-latest diff --git a/.github/workflows/csv-coverage-pr-artifacts.yml b/.github/workflows/csv-coverage-pr-artifacts.yml index 8e2df456260..b5baa70321d 100644 --- a/.github/workflows/csv-coverage-pr-artifacts.yml +++ b/.github/workflows/csv-coverage-pr-artifacts.yml @@ -19,6 +19,10 @@ on: - main - "rc/*" +permissions: + contents: read + pull-requests: read + jobs: generate: name: Generate framework coverage artifacts diff --git a/.github/workflows/csv-coverage-pr-comment.yml b/.github/workflows/csv-coverage-pr-comment.yml index 86fe74d3419..cf01ef063ac 100644 --- a/.github/workflows/csv-coverage-pr-comment.yml +++ b/.github/workflows/csv-coverage-pr-comment.yml @@ -6,6 +6,10 @@ on: types: - completed +permissions: + contents: read + pull-requests: write + jobs: check: name: Check framework coverage differences and comment diff --git a/.github/workflows/csv-coverage-timeseries.yml b/.github/workflows/csv-coverage-timeseries.yml index cf2758dd9d3..f2e1ed47a3d 100644 --- a/.github/workflows/csv-coverage-timeseries.yml +++ b/.github/workflows/csv-coverage-timeseries.yml @@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/csv-coverage-update.yml b/.github/workflows/csv-coverage-update.yml index ccf1ffd4705..4902bee7a4f 100644 --- a/.github/workflows/csv-coverage-update.yml +++ b/.github/workflows/csv-coverage-update.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + pull-requests: write + jobs: update: name: Update framework coverage report diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml index 4fb1d143fc3..9461ba887f5 100644 --- a/.github/workflows/csv-coverage.yml +++ b/.github/workflows/csv-coverage.yml @@ -7,6 +7,9 @@ on: description: "github/codeql repo SHA used for looking up the CSV models" required: false +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/fast-forward.yml b/.github/workflows/fast-forward.yml index c89675efc4e..dd8fefbc529 100644 --- a/.github/workflows/fast-forward.yml +++ b/.github/workflows/fast-forward.yml @@ -7,13 +7,14 @@ name: Fast-forward tracking branch for selected CodeQL version on: workflow_dispatch: +permissions: + contents: write + jobs: fast-forward: name: Fast-forward tracking branch for selected CodeQL version runs-on: ubuntu-latest if: github.repository == 'github/codeql' - permissions: - contents: write env: BRANCH_NAME: 'lgtm.com' steps: diff --git a/.github/workflows/go-tests-other-os.yml b/.github/workflows/go-tests-other-os.yml index 9c489d38600..10ee9e8d13c 100644 --- a/.github/workflows/go-tests-other-os.yml +++ b/.github/workflows/go-tests-other-os.yml @@ -9,6 +9,10 @@ on: - codeql-workspace.yml env: GO_VERSION: '~1.21.0' + +permissions: + contents: read + jobs: test-mac: name: Test MacOS diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml index 9a6b2bde7d7..5c67fae3a5c 100644 --- a/.github/workflows/go-tests.yml +++ b/.github/workflows/go-tests.yml @@ -15,8 +15,13 @@ on: - .github/workflows/go-tests.yml - .github/actions/** - codeql-workspace.yml + env: GO_VERSION: '~1.21.0' + +permissions: + contents: read + jobs: test-linux: if: github.repository_owner == 'github' diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 057208eda32..512fa40d2e3 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,11 +2,12 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + pull-requests: write + jobs: triage: - permissions: - contents: read - pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/labeler@v4 diff --git a/.github/workflows/mad_regenerate-models.yml b/.github/workflows/mad_regenerate-models.yml index 3268a17dfbb..1c7d14238f3 100644 --- a/.github/workflows/mad_regenerate-models.yml +++ b/.github/workflows/mad_regenerate-models.yml @@ -11,6 +11,9 @@ on: - ".github/workflows/mad_regenerate-models.yml" - ".github/actions/fetch-codeql/action.yml" +permissions: + contents: read + jobs: regenerate-models: runs-on: ubuntu-latest diff --git a/.github/workflows/ql-for-ql-build.yml b/.github/workflows/ql-for-ql-build.yml index b641bd5d8c5..8a4b882f30a 100644 --- a/.github/workflows/ql-for-ql-build.yml +++ b/.github/workflows/ql-for-ql-build.yml @@ -9,6 +9,10 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + security-events: read + jobs: analyze: if: github.repository_owner == 'github' diff --git a/.github/workflows/ql-for-ql-dataset_measure.yml b/.github/workflows/ql-for-ql-dataset_measure.yml index a26811640f7..4f9887c4edc 100644 --- a/.github/workflows/ql-for-ql-dataset_measure.yml +++ b/.github/workflows/ql-for-ql-dataset_measure.yml @@ -11,6 +11,10 @@ on: - ql/ql/src/ql.dbscheme workflow_dispatch: +permissions: + contents: read + security-events: read + jobs: measure: env: diff --git a/.github/workflows/ql-for-ql-tests.yml b/.github/workflows/ql-for-ql-tests.yml index 4e0198511d2..578c26c2977 100644 --- a/.github/workflows/ql-for-ql-tests.yml +++ b/.github/workflows/ql-for-ql-tests.yml @@ -17,6 +17,9 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + jobs: qltest: runs-on: ubuntu-latest diff --git a/.github/workflows/query-list.yml b/.github/workflows/query-list.yml index 07fb3b682da..233cc8120f5 100644 --- a/.github/workflows/query-list.yml +++ b/.github/workflows/query-list.yml @@ -13,6 +13,9 @@ on: - '.github/actions/fetch-codeql/action.yml' - 'misc/scripts/generate-code-scanning-query-list.py' +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/ruby-build.yml b/.github/workflows/ruby-build.yml index 61734647069..fda4045cd44 100644 --- a/.github/workflows/ruby-build.yml +++ b/.github/workflows/ruby-build.yml @@ -32,6 +32,9 @@ defaults: run: working-directory: ruby +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/ruby-dataset-measure.yml b/.github/workflows/ruby-dataset-measure.yml index c064d8d2bfb..dd15a0aa63e 100644 --- a/.github/workflows/ruby-dataset-measure.yml +++ b/.github/workflows/ruby-dataset-measure.yml @@ -17,6 +17,9 @@ on: - .github/workflows/ruby-dataset-measure.yml workflow_dispatch: +permissions: + contents: read + jobs: measure: env: diff --git a/.github/workflows/ruby-qltest.yml b/.github/workflows/ruby-qltest.yml index fbac0488b51..9dc86bbce20 100644 --- a/.github/workflows/ruby-qltest.yml +++ b/.github/workflows/ruby-qltest.yml @@ -29,6 +29,9 @@ defaults: run: working-directory: ruby +permissions: + contents: read + jobs: qlupgrade: runs-on: ubuntu-latest diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index a461fbfdf8c..6956d31a398 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -33,6 +33,9 @@ on: - rc/* - codeql-cli-* +permissions: + contents: read + jobs: # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks # without waiting for the macOS build diff --git a/.github/workflows/sync-files.yml b/.github/workflows/sync-files.yml index 7894eae7f55..1ed49ac3ecf 100644 --- a/.github/workflows/sync-files.yml +++ b/.github/workflows/sync-files.yml @@ -10,6 +10,9 @@ on: - main - 'rc/*' +permissions: + contents: read + jobs: sync: runs-on: ubuntu-latest diff --git a/.github/workflows/tree-sitter-extractor-test.yml b/.github/workflows/tree-sitter-extractor-test.yml index 5d13b25466d..acc68e7ec2c 100644 --- a/.github/workflows/tree-sitter-extractor-test.yml +++ b/.github/workflows/tree-sitter-extractor-test.yml @@ -23,6 +23,9 @@ defaults: run: working-directory: shared/tree-sitter-extractor +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-change-notes.yml b/.github/workflows/validate-change-notes.yml index f8c1d9f6504..3c83ffa709a 100644 --- a/.github/workflows/validate-change-notes.yml +++ b/.github/workflows/validate-change-notes.yml @@ -15,6 +15,9 @@ on: - ".github/workflows/validate-change-notes.yml" - ".github/actions/fetch-codeql/action.yml" +permissions: + contents: read + jobs: check-change-note: runs-on: ubuntu-latest