From dba4f666823f40d6a91c86e16b7db6e0435318f5 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Mon, 22 May 2023 23:01:26 -0400 Subject: [PATCH] Grant security-events: write permissions --- .github/workflows/__analyze-ref-input.yml | 3 +++ .github/workflows/__autobuild-action.yml | 3 +++ .github/workflows/__config-export.yml | 3 +++ .github/workflows/__diagnostics-export.yml | 3 +++ .github/workflows/__export-file-baseline-information.yml | 3 +++ .github/workflows/__extractor-ram-threads.yml | 3 +++ .github/workflows/__go-custom-queries.yml | 3 +++ .github/workflows/__go-tracing-autobuilder.yml | 3 +++ .github/workflows/__go-tracing-custom-build-steps.yml | 3 +++ .github/workflows/__go-tracing-legacy-workflow.yml | 3 +++ .github/workflows/__init-with-registries.yml | 8 ++++---- .github/workflows/__javascript-source-root.yml | 3 +++ .github/workflows/__ml-powered-queries.yml | 3 +++ .github/workflows/__multi-language-autodetect.yml | 3 +++ .../__packaging-codescanning-config-inputs-js.yml | 3 +++ .github/workflows/__packaging-config-inputs-js.yml | 3 +++ .github/workflows/__packaging-config-js.yml | 3 +++ .github/workflows/__packaging-inputs-js.yml | 3 +++ .github/workflows/__remote-config.yml | 3 +++ .github/workflows/__rubocop-multi-language.yml | 3 +++ .github/workflows/__ruby.yml | 3 +++ .github/workflows/__split-workflow.yml | 3 +++ .github/workflows/__submit-sarif-failure.yml | 3 +++ .github/workflows/__swift-custom-build.yml | 3 +++ .github/workflows/__test-autobuild-working-dir.yml | 3 +++ .github/workflows/__test-local-codeql.yml | 3 +++ .github/workflows/__test-proxy.yml | 3 +++ .github/workflows/__unset-environment.yml | 3 +++ .github/workflows/__upload-ref-sha-input.yml | 3 +++ .github/workflows/__with-checkout-path.yml | 3 +++ pr-checks/sync.py | 4 ++++ 31 files changed, 95 insertions(+), 4 deletions(-) diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 36564db1c3..a185cead93 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -68,6 +68,9 @@ jobs: - os: windows-latest version: nightly-latest name: "Analyze: 'ref' and 'sha' from inputs" + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 96e8b33bc6..9079dce81a 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -32,6 +32,9 @@ jobs: - os: windows-latest version: latest name: autobuild-action + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index dc47f2e190..481107e2a9 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -38,6 +38,9 @@ jobs: - os: windows-latest version: nightly-latest name: Config export + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 58ea2128a0..222c6c481e 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -44,6 +44,9 @@ jobs: - os: windows-latest version: nightly-latest name: Diagnostic export + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index 4ad63d2693..efb18bc3c6 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -32,6 +32,9 @@ jobs: - os: windows-latest version: nightly-latest name: Export file baseline information + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index 69dbaf248d..5de197d7d3 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -28,6 +28,9 @@ jobs: - os: ubuntu-latest version: latest name: Extractor ram and threads options test + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index 8c662f61f6..8212bd271d 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -68,6 +68,9 @@ jobs: - os: windows-latest version: nightly-latest name: 'Go: Custom queries' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 4a4e631d8b..50ff9696ba 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -54,6 +54,9 @@ jobs: - os: macos-latest version: nightly-latest name: 'Go: tracing with autobuilder step' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index ae6db55716..29e309c1ff 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -54,6 +54,9 @@ jobs: - os: macos-latest version: nightly-latest name: 'Go: tracing with custom build steps' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index 3a479b554c..295e4d1b80 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -54,6 +54,9 @@ jobs: - os: macos-latest version: nightly-latest name: 'Go: tracing with legacy workflow' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__init-with-registries.yml b/.github/workflows/__init-with-registries.yml index c6e07522cb..0a080974cf 100644 --- a/.github/workflows/__init-with-registries.yml +++ b/.github/workflows/__init-with-registries.yml @@ -44,6 +44,10 @@ jobs: - os: windows-latest version: nightly-latest name: 'Packaging: Download using registries' + permissions: + contents: read + packages: read + timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: @@ -128,9 +132,5 @@ jobs: cat $QLCONFIG_PATH exit 1 fi - permissions: - contents: read - packages: read - env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index d2372f2dba..7b4093508d 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -32,6 +32,9 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Custom source root + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__ml-powered-queries.yml b/.github/workflows/__ml-powered-queries.yml index a4d580ca76..c21bac0f85 100644 --- a/.github/workflows/__ml-powered-queries.yml +++ b/.github/workflows/__ml-powered-queries.yml @@ -68,6 +68,9 @@ jobs: - os: windows-latest version: nightly-latest name: ML-powered queries + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index d64655cd0c..39d65bcc03 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -54,6 +54,9 @@ jobs: - os: macos-latest version: nightly-latest name: Multi-language repository + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 8895852d54..7ca279cef6 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -44,6 +44,9 @@ jobs: - os: windows-latest version: nightly-latest name: 'Packaging: Config and input passed to the CLI' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 8471bc6302..8958937120 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -44,6 +44,9 @@ jobs: - os: windows-latest version: nightly-latest name: 'Packaging: Config and input' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index d1513ab758..50922980d5 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -44,6 +44,9 @@ jobs: - os: windows-latest version: nightly-latest name: 'Packaging: Config file' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index a39ea9bff9..eef70effc0 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -44,6 +44,9 @@ jobs: - os: windows-latest version: nightly-latest name: 'Packaging: Action input' + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 831d2b328a..5c27cef72f 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -68,6 +68,9 @@ jobs: - os: windows-latest version: nightly-latest name: Remote config file + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 7a91a5ca8d..15d60a4cd4 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -28,6 +28,9 @@ jobs: - os: ubuntu-latest version: cached name: RuboCop multi-language + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 3d1dcd5418..9fada78b3a 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -38,6 +38,9 @@ jobs: - os: macos-latest version: nightly-latest name: Ruby analysis + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index e332ef7115..35941185df 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -38,6 +38,9 @@ jobs: - os: macos-latest version: nightly-latest name: Split workflow + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 88f6473f25..662e752c83 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -32,6 +32,9 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Submit SARIF after failure + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index b5a1cc8b3b..5b4be35d53 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -38,6 +38,9 @@ jobs: - os: macos-latest version: nightly-latest name: Swift analysis using a custom build command + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml index 619d3265dc..29ec1c918d 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__test-autobuild-working-dir.yml @@ -28,6 +28,9 @@ jobs: - os: ubuntu-latest version: latest name: Autobuild working directory + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index c3cff93ac4..4803a86ce4 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -28,6 +28,9 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Local CodeQL bundle + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index 394824a31b..2d62346573 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -28,6 +28,9 @@ jobs: - os: ubuntu-latest version: latest name: Proxy test + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 3678de9f91..86d2070aab 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -40,6 +40,9 @@ jobs: - os: ubuntu-latest version: nightly-latest name: Test unsetting environment variables + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index d062c0340d..3dd296a3fe 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -68,6 +68,9 @@ jobs: - os: windows-latest version: nightly-latest name: "Upload-sarif: 'ref' and 'sha' from inputs" + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index cfb7445a63..d55ddc4f5e 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -68,6 +68,9 @@ jobs: - os: windows-latest version: nightly-latest name: Use a custom `checkout_path` + permissions: + contents: read + security-events: write timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 3cd968abb8..53604b6166 100644 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -101,6 +101,10 @@ def writeHeader(checkStream): } }, 'name': checkSpecification['name'], + 'permissions': { + 'contents': 'read', + 'security-events': 'write' + }, 'timeout-minutes': 45, 'runs-on': '${{ matrix.os }}', 'steps': steps,