diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 7439f7e16..99b6b7bb4 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -32,7 +32,7 @@ jobs: name: All-platform bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 3047b9d73..52294f42d 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -36,7 +36,7 @@ jobs: name: "Analyze: 'ref' and 'sha' from inputs" permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 497f668a0..080f9893a 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -36,7 +36,7 @@ jobs: name: autobuild-action permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index 4ee53ef13..3ccdecda5 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -38,7 +38,7 @@ jobs: name: Autobuild direct tracing (custom working directory) permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml index 964f53fd6..90084856f 100644 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ b/.github/workflows/__autobuild-direct-tracing.yml @@ -38,7 +38,7 @@ jobs: name: Autobuild direct tracing permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 3c934442c..5219e619c 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -32,7 +32,7 @@ jobs: name: Build mode autobuild permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 74252c996..cae260261 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -32,7 +32,7 @@ jobs: name: Build mode manual permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index a9ce123f9..f2cccc577 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -34,7 +34,7 @@ jobs: name: Build mode none permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index 5457a02d5..3573aff7e 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -32,7 +32,7 @@ jobs: name: Build mode rollback permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index b6abe761a..1c1afd1fa 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -32,7 +32,7 @@ jobs: name: Clean up database cluster directory permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 76b7b9037..536060cc4 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -42,7 +42,7 @@ jobs: name: Config export permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index 1b419aee7..6afbf58d7 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -32,7 +32,7 @@ jobs: name: Config input permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index 17aa07c8b..11668c95b 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -36,7 +36,7 @@ jobs: name: 'C/C++: disabling autoinstalling dependencies (Linux)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index 60997a917..d2e417161 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -32,7 +32,7 @@ jobs: name: 'C/C++: autoinstalling dependencies is skipped (macOS)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index ce9087f09..87c665b5b 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -36,7 +36,7 @@ jobs: name: 'C/C++: autoinstalling dependencies (Linux)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 53014cf36..113733947 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -42,7 +42,7 @@ jobs: name: Diagnostic export permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index e6e38ef8a..2f48ad4c5 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -36,7 +36,7 @@ jobs: name: Export file baseline information permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extract-direct-to-toolcache.yml b/.github/workflows/__extract-direct-to-toolcache.yml index 32727c997..34023f705 100644 --- a/.github/workflows/__extract-direct-to-toolcache.yml +++ b/.github/workflows/__extract-direct-to-toolcache.yml @@ -36,7 +36,7 @@ jobs: name: Extract directly to toolcache permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index 1c3806083..fd2cfd9e8 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -32,7 +32,7 @@ jobs: name: Extractor ram and threads options test permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index 927b2b88b..5459ab3f0 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -34,7 +34,7 @@ jobs: name: 'Go: Custom queries' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 27f1ac7eb..7136d70ce 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: diagnostic when Go is changed after init step' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index 471fc6497..341f4f70a 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: diagnostic when `file` is not installed' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 62459c3eb..24c95104d 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: workaround for indirect tracing' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 20caf1700..4e3b485ab 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with autobuilder step' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index f5dc2333b..340f6e875 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with custom build steps' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index 4baab1171..3af8b1e3a 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with legacy workflow' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index 04d93978e..ba2ccd1b5 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -36,7 +36,7 @@ jobs: name: Custom source root permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index 40ff0cb74..1529a7234 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -32,7 +32,7 @@ jobs: name: Job run UUID added to SARIF permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index a7db4bdf6..0a77e4154 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -32,7 +32,7 @@ jobs: name: Language aliases permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 1bab334dc..5d9cc9974 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -62,7 +62,7 @@ jobs: name: Multi-language repository permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 15aeeb417..bb54bc83a 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config and input passed to the CLI' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index e68085be0..125ca7a7d 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config and input' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index dea5d8eae..db3e9b7ed 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config file' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index cbb91f90d..c5f4bdc35 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Action input' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 198fdde92..a615c66ad 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -34,7 +34,7 @@ jobs: name: Remote config file permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 2c6380323..632e71e65 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -48,7 +48,7 @@ jobs: name: Resolve environment permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 16a6c958d..dca3140bd 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -32,7 +32,7 @@ jobs: name: RuboCop multi-language permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 441b51981..ff9769c01 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -42,7 +42,7 @@ jobs: name: Ruby analysis permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index ea72bde86..c1e0058c1 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -42,7 +42,7 @@ jobs: name: Split workflow permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index e66da8bfd..f2e9b6460 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -36,7 +36,7 @@ jobs: name: Start proxy permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 1f4300d63..4c37ac0ab 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -36,7 +36,8 @@ jobs: name: Submit SARIF after failure permissions: contents: read - security-events: write + security-events: write # needed to upload the SARIF file + timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index 9c17dda79..7be7c0b33 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -32,7 +32,7 @@ jobs: name: Swift analysis using autobuild permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index ae3d80225..1e6009c66 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -36,7 +36,7 @@ jobs: name: Swift analysis using a custom build command permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml index 144ca2173..52fd8c1ab 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__test-autobuild-working-dir.yml @@ -32,7 +32,7 @@ jobs: name: Autobuild working directory permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index 27792efce..c14d9543a 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -32,7 +32,7 @@ jobs: name: Local CodeQL bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index 1b2bb6811..f542d4d4d 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -34,7 +34,7 @@ jobs: name: Proxy test permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 3a2105487..82ac0e60b 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -34,7 +34,7 @@ jobs: name: Test unsetting environment variables permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 7483a8362..a1a5ad4b8 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -36,7 +36,7 @@ jobs: name: "Upload-sarif: 'ref' and 'sha' from inputs" permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index d054ca0ce..524f96517 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -36,7 +36,7 @@ jobs: name: Use a custom `checkout_path` permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__zstd-bundle-streaming.yml b/.github/workflows/__zstd-bundle-streaming.yml index e6fad5708..0a5b39d09 100644 --- a/.github/workflows/__zstd-bundle-streaming.yml +++ b/.github/workflows/__zstd-bundle-streaming.yml @@ -34,7 +34,7 @@ jobs: name: Zstandard bundle (streaming) permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__zstd-bundle.yml b/.github/workflows/__zstd-bundle.yml index f45268af8..a8065cb97 100644 --- a/.github/workflows/__zstd-bundle.yml +++ b/.github/workflows/__zstd-bundle.yml @@ -36,7 +36,7 @@ jobs: name: Zstandard bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml index c5d225b41..fd1d7c5ae 100644 --- a/.github/workflows/check-expected-release-files.yml +++ b/.github/workflows/check-expected-release-files.yml @@ -13,6 +13,9 @@ jobs: check-expected-release-files: runs-on: ubuntu-latest + permissions: + contents: read + steps: - name: Checkout CodeQL Action uses: actions/checkout@v4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0703ff367..130ef5883 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,7 +24,7 @@ jobs: versions: ${{ steps.compare.outputs.versions }} permissions: - security-events: write + contents: read steps: - uses: actions/checkout@v4 @@ -80,7 +80,8 @@ jobs: runs-on: ${{ matrix.os }} permissions: - security-events: write + contents: read + security-events: write # needed to upload results steps: - name: Checkout diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index c4cd4eeaa..01795943c 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -23,6 +23,11 @@ jobs: code-scanning-config-tests: continue-on-error: true + permissions: + contents: read + packages: read + security-events: read + strategy: fail-fast: false matrix: diff --git a/.github/workflows/debug-artifacts-failure.yml b/.github/workflows/debug-artifacts-failure.yml index 4efa19651..995071df6 100644 --- a/.github/workflows/debug-artifacts-failure.yml +++ b/.github/workflows/debug-artifacts-failure.yml @@ -23,6 +23,8 @@ jobs: continue-on-error: true env: CODEQL_ACTION_TEST_MODE: true + permissions: + contents: read timeout-minutes: 45 runs-on: ubuntu-latest steps: @@ -58,6 +60,8 @@ jobs: name: Download and check debug artifacts after failure in analyze needs: upload-artifacts timeout-minutes: 45 + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Download all artifacts diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml index a8cf71008..2dd069135 100644 --- a/.github/workflows/debug-artifacts.yml +++ b/.github/workflows/debug-artifacts.yml @@ -34,6 +34,8 @@ jobs: env: CODEQL_ACTION_TEST_MODE: true timeout-minutes: 45 + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Check out repository @@ -64,6 +66,8 @@ jobs: name: Download and check debug artifacts needs: upload-artifacts timeout-minutes: 45 + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Download all artifacts diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml index e76c8920d..fd75a39a1 100644 --- a/.github/workflows/expected-queries-runs.yml +++ b/.github/workflows/expected-queries-runs.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - security-events: write + security-events: read steps: - name: Check out repository uses: actions/checkout@v4 diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index f6896fb22..9b0b35118 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -27,6 +27,9 @@ jobs: BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}" HEAD_BRANCH: "${{ github.head_ref || github.ref }}" + permissions: + contents: write # needed to create tags and push commits + steps: - name: Dump environment run: env diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index bd406774b..18ff78248 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -15,7 +15,7 @@ jobs: timeout-minutes: 45 permissions: contents: read - security-events: write + security-events: write # needed to upload ESLint results strategy: fail-fast: false @@ -40,6 +40,8 @@ jobs: check-node-modules: if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') name: Check modules up to date + permissions: + contents: read runs-on: macos-latest timeout-minutes: 45 @@ -51,6 +53,8 @@ jobs: check-file-contents: if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') name: Check file contents + permissions: + contents: read runs-on: ubuntu-latest timeout-minutes: 45 @@ -81,6 +85,8 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] + permissions: + contents: read runs-on: ${{ matrix.os }} timeout-minutes: 45 @@ -101,6 +107,9 @@ jobs: env: BASE_REF: ${{ github.base_ref }} + permissions: + contents: read + steps: - uses: actions/checkout@v4 - id: head-version diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index da5226dc2..b9eba295b 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -17,6 +17,8 @@ jobs: env: CODEQL_ACTION_TEST_MODE: true timeout-minutes: 45 + permissions: + contents: read runs-on: windows-latest steps: diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index c2dcb2c69..97cac94fb 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -11,6 +11,9 @@ jobs: runs-on: ubuntu-latest if: github.event.label.name == 'Rebuild' + permissions: + contents: write # needed to push rebuilt commit + pull-requests: write # needed to comment on the PR steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 2524f58e4..4d08c2117 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -27,7 +27,7 @@ jobs: name: 'CodeQL Bundle All' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 36a96c739..73ab6b414 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -17,6 +17,9 @@ jobs: update-bundle: if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-') runs-on: ubuntu-latest + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull requests steps: - name: Dump environment run: env diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 0d24650e0..364dec011 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -9,6 +9,9 @@ jobs: timeout-minutes: 45 runs-on: macos-latest if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action') + permissions: + contents: write # needed to push the updated dependencies + pull-requests: write # needed to comment on the PR steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index cac2c67b1..71bd817a7 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -22,6 +22,8 @@ jobs: latest_tag: ${{ steps.versions.outputs.latest_tag }} backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }} backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }} + permissions: + contents: read steps: - uses: actions/checkout@v4 with: @@ -63,6 +65,9 @@ jobs: REPOSITORY: "${{ github.repository }}" MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}" LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}" + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull request steps: - uses: actions/checkout@v4 with: @@ -114,6 +119,9 @@ jobs: env: SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }} TARGET_BRANCH: ${{ matrix.target_branch }} + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull request steps: - name: Generate token uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml index 690010100..5eaa167c3 100644 --- a/.github/workflows/update-supported-enterprise-server-versions.yml +++ b/.github/workflows/update-supported-enterprise-server-versions.yml @@ -10,7 +10,10 @@ jobs: name: Update Supported Enterprise Server Versions timeout-minutes: 45 runs-on: ubuntu-latest - if: ${{ github.repository == 'github/codeql-action' }} + if: github.repository == 'github/codeql-action' + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull request steps: - name: Setup Python diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index 7dd5ac76b..070042885 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -14,6 +14,10 @@ env: # Mark telemetry for this workflow so it can be treated separately. CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks +permissions: + contents: read + security-events: write # needed to upload the SARIF file + steps: - uses: actions/checkout@v4 - uses: ./init diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 13ee591af..f27dbdd8f 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -126,7 +126,7 @@ def writeHeader(checkStream): 'name': checkSpecification['name'], 'permissions': { 'contents': 'read', - 'security-events': 'write' + 'security-events': 'read' }, 'timeout-minutes': 45, 'runs-on': '${{ matrix.os }}',