Mercurial > p > roundup > code
comparison .github/workflows/codeql-analysis.yml @ 7129:c7e35b96907d
Try another permission setup.
security events has to be write to allow codeql to work. OSSF-security
scan complains with the write at the top level.
So leave top level read only and add write at job level.
See if codeql will not fail (missing write perms caused failure in
codeql init).
Note that ossf recommended remediation step using:
https://app.stepsecurity.io/secureworkflow/roundup-tracker/roundup/codeql-analysis.yml/master?enable=permissions
had no issue with the permissions defined in the workflow. I had a
green checkmark.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 23 Jan 2023 21:21:38 -0500 |
| parents | 2685dd56806a |
| children | cc49ac11850f |
comparison
equal
deleted
inserted
replaced
| 7128:2685dd56806a | 7129:c7e35b96907d |
|---|---|
| 19 # The branches below must be a subset of the branches above | 19 # The branches below must be a subset of the branches above |
| 20 branches: [ master ] | 20 branches: [ master ] |
| 21 schedule: | 21 schedule: |
| 22 - cron: '28 17 * * 1' | 22 - cron: '28 17 * * 1' |
| 23 | 23 |
| 24 permissions: | |
| 25 contents: read | |
| 26 | |
| 24 concurrency: | 27 concurrency: |
| 25 group: ${{ github.workflow }}-${{ github.ref }} | 28 group: ${{ github.workflow }}-${{ github.ref }} |
| 26 cancel-in-progress: true | 29 cancel-in-progress: true |
| 27 | |
| 28 permissions: | |
| 29 contents: read | |
| 30 security-events: write | |
| 31 | 30 |
| 32 jobs: | 31 jobs: |
| 33 analyze: | 32 analyze: |
| 34 name: Analyze | 33 name: Analyze |
| 35 runs-on: ubuntu-latest | 34 runs-on: ubuntu-latest |
| 35 | |
| 36 permissions: | |
| 37 contents: read | |
| 38 security-events: write | |
| 36 | 39 |
| 37 strategy: | 40 strategy: |
| 38 fail-fast: false | 41 fail-fast: false |
| 39 matrix: | 42 matrix: |
| 40 language: [ 'javascript', 'python' ] | 43 language: [ 'javascript', 'python' ] |