Skip to content

Commit

Permalink
Declare permissions
Browse files Browse the repository at this point in the history
Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.
  • Loading branch information
jsoref committed Jan 31, 2024
1 parent aeae208 commit b997f22
Show file tree
Hide file tree
Showing 30 changed files with 110 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/check-change-note.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Check change note

permissions:
pull-requests: read

on:
pull_request_target:
types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-implicit-this.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
check:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-qldoc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- "rc/*"

permissions:
contents: read

jobs:
qldoc:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/check-query-ids.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- "rc/*"
workflow_dispatch:

permissions:
contents: read

jobs:
check:
name: Check query IDs
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/close-stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
schedule:
- cron: "30 1 * * *"

permissions:
issues: write

jobs:
stale:
if: github.repository == 'github/codeql'
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/compile-queries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- "codeql-cli-*"
pull_request:

permissions:
contents: read

jobs:
compile-queries:
runs-on: ubuntu-latest-xl
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/csharp-qltest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ defaults:
run:
working-directory: csharp

permissions:
contents: read
security-events: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand All @@ -51,6 +55,9 @@ jobs:
fail-fast: false
matrix:
slice: ["1/2", "2/2"]
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: ./csharp/actions/create-extractor-pack
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-metrics.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:
- ".github/workflows/csv-coverage-metrics.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read
security-events: write

jobs:
publish-java:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
- main
- "rc/*"

permissions:
contents: read
pull-requests: read

jobs:
generate:
name: Generate framework coverage artifacts
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-pr-comment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
types:
- completed

permissions:
contents: read
pull-requests: write

jobs:
check:
name: Check framework coverage differences and comment
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage-timeseries.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports
on:
workflow_dispatch:

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/csv-coverage-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
schedule:
- cron: "0 0 * * *"

permissions:
contents: read
security-events: write

jobs:
update:
name: Update framework coverage report
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/csv-coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
description: "github/codeql repo SHA used for looking up the CSV models"
required: false

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/fast-forward.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ name: Fast-forward tracking branch for selected CodeQL version
on:
workflow_dispatch:

permissions:
contents: write

jobs:
fast-forward:
name: Fast-forward tracking branch for selected CodeQL version
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/go-tests-other-os.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
- codeql-workspace.yml
env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-mac:
name: Test MacOS
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
- codeql-workspace.yml
env:
GO_VERSION: '~1.21.0'

permissions:
contents: read

jobs:
test-linux:
name: Test Linux (Ubuntu)
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ name: "Pull Request Labeler"
on:
- pull_request_target

permissions:
contents: read
pull-requests: write

jobs:
triage:
permissions:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/mad_regenerate-models.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- ".github/workflows/mad_regenerate-models.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read

jobs:
regenerate-models:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ql-for-ql-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read
security-events: read

jobs:
analyze:
runs-on: ubuntu-latest-xl
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ql-for-ql-dataset_measure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:
- ql/ql/src/ql.dbscheme
workflow_dispatch:

permissions:
contents: read
security-events: read

jobs:
measure:
env:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ql-for-ql-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
env:
CARGO_TERM_COLOR: always

permissions:
contents: read
security-events: write

jobs:
qltest:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/query-list.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ on:
- '.github/actions/fetch-codeql/action.yml'
- 'misc/scripts/generate-code-scanning-query-list.py'

permissions:
contents: read
security-events: read

jobs:
build:

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ruby-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read

jobs:
build:
strategy:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ruby-dataset-measure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
- .github/workflows/ruby-dataset-measure.yml
workflow_dispatch:

permissions:
contents: read
security-events: read

jobs:
measure:
env:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ruby-qltest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ defaults:
run:
working-directory: ruby

permissions:
contents: read
security-events: read

jobs:
qlupgrade:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/swift.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ on:
- rc/*
- codeql-cli-*

permissions:
contents: read
security-events: read

jobs:
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/sync-files.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- main
- 'rc/*'

permissions:
contents: read

jobs:
sync:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/tree-sitter-extractor-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ defaults:
run:
working-directory: shared/tree-sitter-extractor

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/validate-change-notes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ on:
- ".github/workflows/validate-change-notes.yml"
- ".github/actions/fetch-codeql/action.yml"

permissions:
contents: read
security-events: write

jobs:
check-change-note:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions csharp/actions/create-extractor-pack/action.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
name: Build C# CodeQL pack
description: Builds the C# CodeQL pack

# permissions:
# security-events: read

runs:
using: composite
steps:
Expand Down

0 comments on commit b997f22

Please sign in to comment.