From b997f226816425e4955fbb44c7599bc060bf42ef Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 31 Jan 2024 03:31:54 -0500 Subject: [PATCH] Declare permissions Repositories can be configured with Default access (restricted) https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token Best practice says that workflows should declare the minimal permissions they require. Without declaring permissions, paranoid forks fail miserably. --- .github/workflows/check-change-note.yml | 3 +++ .github/workflows/check-implicit-this.yml | 3 +++ .github/workflows/check-qldoc.yml | 3 +++ .github/workflows/check-query-ids.yml | 3 +++ .github/workflows/close-stale.yml | 3 +++ .github/workflows/compile-queries.yml | 3 +++ .github/workflows/csharp-qltest.yml | 7 +++++++ .github/workflows/csv-coverage-metrics.yml | 4 ++++ .github/workflows/csv-coverage-pr-artifacts.yml | 4 ++++ .github/workflows/csv-coverage-pr-comment.yml | 4 ++++ .github/workflows/csv-coverage-timeseries.yml | 3 +++ .github/workflows/csv-coverage-update.yml | 4 ++++ .github/workflows/csv-coverage.yml | 3 +++ .github/workflows/fast-forward.yml | 3 +++ .github/workflows/go-tests-other-os.yml | 4 ++++ .github/workflows/go-tests.yml | 4 ++++ .github/workflows/labeler.yml | 4 ++++ .github/workflows/mad_regenerate-models.yml | 3 +++ .github/workflows/ql-for-ql-build.yml | 4 ++++ .github/workflows/ql-for-ql-dataset_measure.yml | 4 ++++ .github/workflows/ql-for-ql-tests.yml | 4 ++++ .github/workflows/query-list.yml | 4 ++++ .github/workflows/ruby-build.yml | 3 +++ .github/workflows/ruby-dataset-measure.yml | 4 ++++ .github/workflows/ruby-qltest.yml | 4 ++++ .github/workflows/swift.yml | 4 ++++ .github/workflows/sync-files.yml | 3 +++ .github/workflows/tree-sitter-extractor-test.yml | 3 +++ .github/workflows/validate-change-notes.yml | 4 ++++ csharp/actions/create-extractor-pack/action.yml | 4 ++++ 30 files changed, 110 insertions(+) diff --git a/.github/workflows/check-change-note.yml b/.github/workflows/check-change-note.yml index e701090420dcb..026408a028d55 100644 --- a/.github/workflows/check-change-note.yml +++ b/.github/workflows/check-change-note.yml @@ -1,5 +1,8 @@ name: Check change note +permissions: + pull-requests: read + on: pull_request_target: types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review] diff --git a/.github/workflows/check-implicit-this.yml b/.github/workflows/check-implicit-this.yml index 14100ed332525..f58db399ccb9e 100644 --- a/.github/workflows/check-implicit-this.yml +++ b/.github/workflows/check-implicit-this.yml @@ -9,6 +9,9 @@ on: - main - "rc/*" +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-qldoc.yml b/.github/workflows/check-qldoc.yml index 7996123e9bf3a..e64d661c7911a 100644 --- a/.github/workflows/check-qldoc.yml +++ b/.github/workflows/check-qldoc.yml @@ -10,6 +10,9 @@ on: - main - "rc/*" +permissions: + contents: read + jobs: qldoc: runs-on: ubuntu-latest diff --git a/.github/workflows/check-query-ids.yml b/.github/workflows/check-query-ids.yml index 9e84fe0b0e352..8ae19cc3e5f80 100644 --- a/.github/workflows/check-query-ids.yml +++ b/.github/workflows/check-query-ids.yml @@ -11,6 +11,9 @@ on: - "rc/*" workflow_dispatch: +permissions: + contents: read + jobs: check: name: Check query IDs diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml index a9e0d27630893..1c74ede8bf6f5 100644 --- a/.github/workflows/close-stale.yml +++ b/.github/workflows/close-stale.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "30 1 * * *" +permissions: + issues: write + jobs: stale: if: github.repository == 'github/codeql' diff --git a/.github/workflows/compile-queries.yml b/.github/workflows/compile-queries.yml index c44aa56a75309..223eeb902033d 100644 --- a/.github/workflows/compile-queries.yml +++ b/.github/workflows/compile-queries.yml @@ -8,6 +8,9 @@ on: - "codeql-cli-*" pull_request: +permissions: + contents: read + jobs: compile-queries: runs-on: ubuntu-latest-xl diff --git a/.github/workflows/csharp-qltest.yml b/.github/workflows/csharp-qltest.yml index 2b8ecad83d9b8..455e1f089a971 100644 --- a/.github/workflows/csharp-qltest.yml +++ b/.github/workflows/csharp-qltest.yml @@ -25,6 +25,10 @@ defaults: run: working-directory: csharp +permissions: + contents: read + security-events: read + jobs: qlupgrade: runs-on: ubuntu-latest @@ -51,6 +55,9 @@ jobs: fail-fast: false matrix: slice: ["1/2", "2/2"] + permissions: + contents: read + security-events: write steps: - uses: actions/checkout@v4 - uses: ./csharp/actions/create-extractor-pack diff --git a/.github/workflows/csv-coverage-metrics.yml b/.github/workflows/csv-coverage-metrics.yml index e24c6bc74a4cb..6f1170047bfd6 100644 --- a/.github/workflows/csv-coverage-metrics.yml +++ b/.github/workflows/csv-coverage-metrics.yml @@ -14,6 +14,10 @@ on: - ".github/workflows/csv-coverage-metrics.yml" - ".github/actions/fetch-codeql/action.yml" +permissions: + contents: read + security-events: write + jobs: publish-java: runs-on: ubuntu-latest diff --git a/.github/workflows/csv-coverage-pr-artifacts.yml b/.github/workflows/csv-coverage-pr-artifacts.yml index 8e2df456260fb..b5baa70321d5a 100644 --- a/.github/workflows/csv-coverage-pr-artifacts.yml +++ b/.github/workflows/csv-coverage-pr-artifacts.yml @@ -19,6 +19,10 @@ on: - main - "rc/*" +permissions: + contents: read + pull-requests: read + jobs: generate: name: Generate framework coverage artifacts diff --git a/.github/workflows/csv-coverage-pr-comment.yml b/.github/workflows/csv-coverage-pr-comment.yml index 86fe74d3419a5..cf01ef063acf6 100644 --- a/.github/workflows/csv-coverage-pr-comment.yml +++ b/.github/workflows/csv-coverage-pr-comment.yml @@ -6,6 +6,10 @@ on: types: - completed +permissions: + contents: read + pull-requests: write + jobs: check: name: Check framework coverage differences and comment diff --git a/.github/workflows/csv-coverage-timeseries.yml b/.github/workflows/csv-coverage-timeseries.yml index cf2758dd9d344..f2e1ed47a3d10 100644 --- a/.github/workflows/csv-coverage-timeseries.yml +++ b/.github/workflows/csv-coverage-timeseries.yml @@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/csv-coverage-update.yml b/.github/workflows/csv-coverage-update.yml index ccf1ffd470538..cfc39df5f661a 100644 --- a/.github/workflows/csv-coverage-update.yml +++ b/.github/workflows/csv-coverage-update.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + security-events: write + jobs: update: name: Update framework coverage report diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml index 4fb1d143fc394..9461ba887f5e1 100644 --- a/.github/workflows/csv-coverage.yml +++ b/.github/workflows/csv-coverage.yml @@ -7,6 +7,9 @@ on: description: "github/codeql repo SHA used for looking up the CSV models" required: false +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/fast-forward.yml b/.github/workflows/fast-forward.yml index c89675efc4ed4..0c59ddc9284f2 100644 --- a/.github/workflows/fast-forward.yml +++ b/.github/workflows/fast-forward.yml @@ -7,6 +7,9 @@ name: Fast-forward tracking branch for selected CodeQL version on: workflow_dispatch: +permissions: + contents: write + jobs: fast-forward: name: Fast-forward tracking branch for selected CodeQL version diff --git a/.github/workflows/go-tests-other-os.yml b/.github/workflows/go-tests-other-os.yml index 8b0395fad9066..8bed69d2079e2 100644 --- a/.github/workflows/go-tests-other-os.yml +++ b/.github/workflows/go-tests-other-os.yml @@ -9,6 +9,10 @@ on: - codeql-workspace.yml env: GO_VERSION: '~1.21.0' + +permissions: + contents: read + jobs: test-mac: name: Test MacOS diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml index 9d518ac70b656..51e01e9a31e31 100644 --- a/.github/workflows/go-tests.yml +++ b/.github/workflows/go-tests.yml @@ -17,6 +17,10 @@ on: - codeql-workspace.yml env: GO_VERSION: '~1.21.0' + +permissions: + contents: read + jobs: test-linux: name: Test Linux (Ubuntu) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 057208eda328d..78f56b7e18d17 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,10 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + pull-requests: write + jobs: triage: permissions: diff --git a/.github/workflows/mad_regenerate-models.yml b/.github/workflows/mad_regenerate-models.yml index 3268a17dfbb4e..1c7d14238f330 100644 --- a/.github/workflows/mad_regenerate-models.yml +++ b/.github/workflows/mad_regenerate-models.yml @@ -11,6 +11,9 @@ on: - ".github/workflows/mad_regenerate-models.yml" - ".github/actions/fetch-codeql/action.yml" +permissions: + contents: read + jobs: regenerate-models: runs-on: ubuntu-latest diff --git a/.github/workflows/ql-for-ql-build.yml b/.github/workflows/ql-for-ql-build.yml index e8ac1fa0f1734..0c58adb1f05cc 100644 --- a/.github/workflows/ql-for-ql-build.yml +++ b/.github/workflows/ql-for-ql-build.yml @@ -9,6 +9,10 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + security-events: read + jobs: analyze: runs-on: ubuntu-latest-xl diff --git a/.github/workflows/ql-for-ql-dataset_measure.yml b/.github/workflows/ql-for-ql-dataset_measure.yml index d317d467c9aa2..e33e3cf9e782f 100644 --- a/.github/workflows/ql-for-ql-dataset_measure.yml +++ b/.github/workflows/ql-for-ql-dataset_measure.yml @@ -11,6 +11,10 @@ on: - ql/ql/src/ql.dbscheme workflow_dispatch: +permissions: + contents: read + security-events: read + jobs: measure: env: diff --git a/.github/workflows/ql-for-ql-tests.yml b/.github/workflows/ql-for-ql-tests.yml index 4385e3f76bb14..cd7723fc8ebd3 100644 --- a/.github/workflows/ql-for-ql-tests.yml +++ b/.github/workflows/ql-for-ql-tests.yml @@ -17,6 +17,10 @@ on: env: CARGO_TERM_COLOR: always +permissions: + contents: read + security-events: write + jobs: qltest: runs-on: ubuntu-latest diff --git a/.github/workflows/query-list.yml b/.github/workflows/query-list.yml index 07fb3b682da3f..17ba94c94e8fe 100644 --- a/.github/workflows/query-list.yml +++ b/.github/workflows/query-list.yml @@ -13,6 +13,10 @@ on: - '.github/actions/fetch-codeql/action.yml' - 'misc/scripts/generate-code-scanning-query-list.py' +permissions: + contents: read + security-events: read + jobs: build: diff --git a/.github/workflows/ruby-build.yml b/.github/workflows/ruby-build.yml index 392c6ff830262..845f2a07aed40 100644 --- a/.github/workflows/ruby-build.yml +++ b/.github/workflows/ruby-build.yml @@ -32,6 +32,9 @@ defaults: run: working-directory: ruby +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/ruby-dataset-measure.yml b/.github/workflows/ruby-dataset-measure.yml index c064d8d2bfb4b..6aece12b749e7 100644 --- a/.github/workflows/ruby-dataset-measure.yml +++ b/.github/workflows/ruby-dataset-measure.yml @@ -17,6 +17,10 @@ on: - .github/workflows/ruby-dataset-measure.yml workflow_dispatch: +permissions: + contents: read + security-events: read + jobs: measure: env: diff --git a/.github/workflows/ruby-qltest.yml b/.github/workflows/ruby-qltest.yml index 19d5325091fde..201f542f04df4 100644 --- a/.github/workflows/ruby-qltest.yml +++ b/.github/workflows/ruby-qltest.yml @@ -29,6 +29,10 @@ defaults: run: working-directory: ruby +permissions: + contents: read + security-events: read + jobs: qlupgrade: runs-on: ubuntu-latest diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml index ff9cd29e238de..44daa6c4a4b44 100644 --- a/.github/workflows/swift.yml +++ b/.github/workflows/swift.yml @@ -33,6 +33,10 @@ on: - rc/* - codeql-cli-* +permissions: + contents: read + security-events: read + jobs: # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks # without waiting for the macOS build diff --git a/.github/workflows/sync-files.yml b/.github/workflows/sync-files.yml index 7894eae7f55a8..1ed49ac3ecf63 100644 --- a/.github/workflows/sync-files.yml +++ b/.github/workflows/sync-files.yml @@ -10,6 +10,9 @@ on: - main - 'rc/*' +permissions: + contents: read + jobs: sync: runs-on: ubuntu-latest diff --git a/.github/workflows/tree-sitter-extractor-test.yml b/.github/workflows/tree-sitter-extractor-test.yml index 5d13b25466d34..acc68e7ec2c71 100644 --- a/.github/workflows/tree-sitter-extractor-test.yml +++ b/.github/workflows/tree-sitter-extractor-test.yml @@ -23,6 +23,9 @@ defaults: run: working-directory: shared/tree-sitter-extractor +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-change-notes.yml b/.github/workflows/validate-change-notes.yml index f8c1d9f650422..66d65e9c62f35 100644 --- a/.github/workflows/validate-change-notes.yml +++ b/.github/workflows/validate-change-notes.yml @@ -15,6 +15,10 @@ on: - ".github/workflows/validate-change-notes.yml" - ".github/actions/fetch-codeql/action.yml" +permissions: + contents: read + security-events: write + jobs: check-change-note: runs-on: ubuntu-latest diff --git a/csharp/actions/create-extractor-pack/action.yml b/csharp/actions/create-extractor-pack/action.yml index f113d69061d5e..2186adb7a8eae 100644 --- a/csharp/actions/create-extractor-pack/action.yml +++ b/csharp/actions/create-extractor-pack/action.yml @@ -1,5 +1,9 @@ name: Build C# CodeQL pack description: Builds the C# CodeQL pack + +# permissions: +# security-events: read + runs: using: composite steps: