mirror of
https://github.com/github/codeql.git
synced 2026-01-03 17:50:19 +01:00
b58c856756
Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably.
35 lines
832 B
YAML
35 lines
832 B
YAML
name: Validate change notes
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- "*/ql/*/change-notes/**/*"
|
|
- ".github/workflows/validate-change-notes.yml"
|
|
- ".github/actions/fetch-codeql/action.yml"
|
|
branches:
|
|
- main
|
|
- "rc/*"
|
|
pull_request:
|
|
paths:
|
|
- "*/ql/*/change-notes/**/*"
|
|
- ".github/workflows/validate-change-notes.yml"
|
|
- ".github/actions/fetch-codeql/action.yml"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check-change-note:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup CodeQL
|
|
uses: ./.github/actions/fetch-codeql
|
|
|
|
- name: Fail if there are any errors with existing change notes
|
|
|
|
run: |
|
|
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
|