hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Declare permissions

Browse Source 
Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.
This commit is contained in:
Josh Soref
2024-01-31 03:31:54 -05:00
parent e468f4062f
commit b58c856756
29 changed files with 97 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/check-change-note.yml vendored
View File

@@ -1,5 +1,8 @@
name: Check change note name: Check change note
permissions:
pull-requests: read
on: on:
pull_request_target: pull_request_target:
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review] types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]

3
.github/workflows/check-implicit-this.yml vendored
View File

@@ -9,6 +9,9 @@ on:
- main - main
- "rc/*" - "rc/*"
permissions:
contents: read
jobs: jobs:
check: check:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/check-qldoc.yml vendored
View File

@@ -10,6 +10,9 @@ on:
- main - main
- "rc/*" - "rc/*"
permissions:
contents: read
jobs: jobs:
qldoc: qldoc:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/check-query-ids.yml vendored
View File

@@ -11,6 +11,9 @@ on:
- "rc/*" - "rc/*"
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
check: check:
name: Check query IDs name: Check query IDs

3
.github/workflows/close-stale.yml vendored
View File

@@ -5,6 +5,9 @@ on:
schedule: schedule:
- cron: "30 1 * * *" - cron: "30 1 * * *"
permissions:
issues: write
jobs: jobs:
stale: stale:
if: github.repository == 'github/codeql' if: github.repository == 'github/codeql'

3
.github/workflows/compile-queries.yml vendored
View File

@@ -8,6 +8,9 @@ on:
- "codeql-cli-*" - "codeql-cli-*"
pull_request: pull_request:
permissions:
contents: read
jobs: jobs:
compile-queries: compile-queries:
if: github.repository_owner == 'github' if: github.repository_owner == 'github'

3
.github/workflows/csharp-qltest.yml vendored
View File

@@ -25,6 +25,9 @@ defaults:
run: run:
working-directory: csharp working-directory: csharp
permissions:
contents: read
jobs: jobs:
qlupgrade: qlupgrade:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/csv-coverage-metrics.yml vendored
View File

@@ -14,6 +14,10 @@ on:
- ".github/workflows/csv-coverage-metrics.yml" - ".github/workflows/csv-coverage-metrics.yml"
- ".github/actions/fetch-codeql/action.yml" - ".github/actions/fetch-codeql/action.yml"
permissions:
contents: read
security-events: write
jobs: jobs:
publish-java: publish-java:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/csv-coverage-pr-artifacts.yml vendored
View File

@@ -19,6 +19,10 @@ on:
- main - main
- "rc/*" - "rc/*"
permissions:
contents: read
pull-requests: read
jobs: jobs:
generate: generate:
name: Generate framework coverage artifacts name: Generate framework coverage artifacts

4
.github/workflows/csv-coverage-pr-comment.yml vendored
View File

@@ -6,6 +6,10 @@ on:
types: types:
- completed - completed
permissions:
contents: read
pull-requests: write
jobs: jobs:
check: check:
name: Check framework coverage differences and comment name: Check framework coverage differences and comment

3
.github/workflows/csv-coverage-timeseries.yml vendored
View File

@@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports
on: on:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/csv-coverage-update.yml vendored
View File

@@ -5,6 +5,10 @@ on:
schedule: schedule:
- cron: "0 0 * * *" - cron: "0 0 * * *"
permissions:
contents: read
pull-requests: write
jobs: jobs:
update: update:
name: Update framework coverage report name: Update framework coverage report

3
.github/workflows/csv-coverage.yml vendored
View File

@@ -7,6 +7,9 @@ on:
description: "github/codeql repo SHA used for looking up the CSV models" description: "github/codeql repo SHA used for looking up the CSV models"
required: false required: false
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/fast-forward.yml vendored
View File

@@ -7,13 +7,14 @@ name: Fast-forward tracking branch for selected CodeQL version
on: on:
workflow_dispatch: workflow_dispatch:
permissions:
contents: write
jobs: jobs:
fast-forward: fast-forward:
name: Fast-forward tracking branch for selected CodeQL version name: Fast-forward tracking branch for selected CodeQL version
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository == 'github/codeql' if: github.repository == 'github/codeql'
permissions:
contents: write
env: env:
BRANCH_NAME: 'lgtm.com' BRANCH_NAME: 'lgtm.com'
steps: steps:

4
.github/workflows/go-tests-other-os.yml vendored
View File

@@ -9,6 +9,10 @@ on:
- codeql-workspace.yml - codeql-workspace.yml
env: env:
GO_VERSION: '~1.21.0' GO_VERSION: '~1.21.0'
permissions:
contents: read
jobs: jobs:
test-mac: test-mac:
name: Test MacOS name: Test MacOS

5
.github/workflows/go-tests.yml vendored
View File

@@ -15,8 +15,13 @@ on:
- .github/workflows/go-tests.yml - .github/workflows/go-tests.yml
- .github/actions/** - .github/actions/**
- codeql-workspace.yml - codeql-workspace.yml
env: env:
GO_VERSION: '~1.21.0' GO_VERSION: '~1.21.0'
permissions:
contents: read
jobs: jobs:
test-linux: test-linux:
if: github.repository_owner == 'github' if: github.repository_owner == 'github'

7
.github/workflows/labeler.yml vendored
View File

@@ -2,11 +2,12 @@ name: "Pull Request Labeler"
on: on:
- pull_request_target - pull_request_target
permissions:
contents: read
pull-requests: write
jobs: jobs:
triage: triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/labeler@v4 - uses: actions/labeler@v4

3
.github/workflows/mad_regenerate-models.yml vendored
View File

@@ -11,6 +11,9 @@ on:
- ".github/workflows/mad_regenerate-models.yml" - ".github/workflows/mad_regenerate-models.yml"
- ".github/actions/fetch-codeql/action.yml" - ".github/actions/fetch-codeql/action.yml"
permissions:
contents: read
jobs: jobs:
regenerate-models: regenerate-models:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/ql-for-ql-build.yml vendored
View File

@@ -9,6 +9,10 @@ on:
env: env:
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
permissions:
contents: read
security-events: read
jobs: jobs:
analyze: analyze:
if: github.repository_owner == 'github' if: github.repository_owner == 'github'

4
.github/workflows/ql-for-ql-dataset_measure.yml vendored
View File

@@ -11,6 +11,10 @@ on:
- ql/ql/src/ql.dbscheme - ql/ql/src/ql.dbscheme
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
security-events: read
jobs: jobs:
measure: measure:
env: env:

3
.github/workflows/ql-for-ql-tests.yml vendored
View File

@@ -17,6 +17,9 @@ on:
env: env:
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
permissions:
contents: read
jobs: jobs:
qltest: qltest:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/query-list.yml vendored
View File

@@ -13,6 +13,9 @@ on:
- '.github/actions/fetch-codeql/action.yml' - '.github/actions/fetch-codeql/action.yml'
- 'misc/scripts/generate-code-scanning-query-list.py' - 'misc/scripts/generate-code-scanning-query-list.py'
permissions:
contents: read
jobs: jobs:
build: build:

3
.github/workflows/ruby-build.yml vendored
View File

@@ -32,6 +32,9 @@ defaults:
run: run:
working-directory: ruby working-directory: ruby
permissions:
contents: read
jobs: jobs:
build: build:
strategy: strategy:

3
.github/workflows/ruby-dataset-measure.yml vendored
View File

@@ -17,6 +17,9 @@ on:
- .github/workflows/ruby-dataset-measure.yml - .github/workflows/ruby-dataset-measure.yml
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
measure: measure:
env: env:

3
.github/workflows/ruby-qltest.yml vendored
View File

@@ -29,6 +29,9 @@ defaults:
run: run:
working-directory: ruby working-directory: ruby
permissions:
contents: read
jobs: jobs:
qlupgrade: qlupgrade:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/swift.yml vendored
View File

@@ -33,6 +33,9 @@ on:
- rc/* - rc/*
- codeql-cli-* - codeql-cli-*
permissions:
contents: read
jobs: jobs:
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build # without waiting for the macOS build

3
.github/workflows/sync-files.yml vendored
View File

@@ -10,6 +10,9 @@ on:
- main - main
- 'rc/*' - 'rc/*'
permissions:
contents: read
jobs: jobs:
sync: sync:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/tree-sitter-extractor-test.yml vendored
View File

@@ -23,6 +23,9 @@ defaults:
run: run:
working-directory: shared/tree-sitter-extractor working-directory: shared/tree-sitter-extractor
permissions:
contents: read
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/validate-change-notes.yml vendored
View File

@@ -15,6 +15,9 @@ on:
- ".github/workflows/validate-change-notes.yml" - ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql/action.yml" - ".github/actions/fetch-codeql/action.yml"
permissions:
contents: read
jobs: jobs:
check-change-note: check-change-note:
runs-on: ubuntu-latest runs-on: ubuntu-latest