diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 7439f7e16..99b6b7bb4 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -32,7 +32,7 @@ jobs: name: All-platform bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 3047b9d73..52294f42d 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -36,7 +36,7 @@ jobs: name: "Analyze: 'ref' and 'sha' from inputs" permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 497f668a0..080f9893a 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -36,7 +36,7 @@ jobs: name: autobuild-action permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index 4ee53ef13..3ccdecda5 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -38,7 +38,7 @@ jobs: name: Autobuild direct tracing (custom working directory) permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml index 964f53fd6..90084856f 100644 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ b/.github/workflows/__autobuild-direct-tracing.yml @@ -38,7 +38,7 @@ jobs: name: Autobuild direct tracing permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 3c934442c..5219e619c 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -32,7 +32,7 @@ jobs: name: Build mode autobuild permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 74252c996..cae260261 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -32,7 +32,7 @@ jobs: name: Build mode manual permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index a9ce123f9..f2cccc577 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -34,7 +34,7 @@ jobs: name: Build mode none permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index 5457a02d5..3573aff7e 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -32,7 +32,7 @@ jobs: name: Build mode rollback permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index b6abe761a..1c1afd1fa 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -32,7 +32,7 @@ jobs: name: Clean up database cluster directory permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 76b7b9037..536060cc4 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -42,7 +42,7 @@ jobs: name: Config export permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index 1b419aee7..6afbf58d7 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -32,7 +32,7 @@ jobs: name: Config input permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index 17aa07c8b..11668c95b 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -36,7 +36,7 @@ jobs: name: 'C/C++: disabling autoinstalling dependencies (Linux)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index 60997a917..d2e417161 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -32,7 +32,7 @@ jobs: name: 'C/C++: autoinstalling dependencies is skipped (macOS)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index ce9087f09..87c665b5b 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -36,7 +36,7 @@ jobs: name: 'C/C++: autoinstalling dependencies (Linux)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 53014cf36..113733947 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -42,7 +42,7 @@ jobs: name: Diagnostic export permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index e6e38ef8a..2f48ad4c5 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -36,7 +36,7 @@ jobs: name: Export file baseline information permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extract-direct-to-toolcache.yml b/.github/workflows/__extract-direct-to-toolcache.yml index 32727c997..34023f705 100644 --- a/.github/workflows/__extract-direct-to-toolcache.yml +++ b/.github/workflows/__extract-direct-to-toolcache.yml @@ -36,7 +36,7 @@ jobs: name: Extract directly to toolcache permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index 1c3806083..fd2cfd9e8 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -32,7 +32,7 @@ jobs: name: Extractor ram and threads options test permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index 927b2b88b..5459ab3f0 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -34,7 +34,7 @@ jobs: name: 'Go: Custom queries' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 27f1ac7eb..7136d70ce 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: diagnostic when Go is changed after init step' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index 471fc6497..341f4f70a 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: diagnostic when `file` is not installed' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 62459c3eb..24c95104d 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: workaround for indirect tracing' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 20caf1700..4e3b485ab 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with autobuilder step' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index f5dc2333b..340f6e875 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with custom build steps' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index 4baab1171..3af8b1e3a 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with legacy workflow' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index 04d93978e..ba2ccd1b5 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -36,7 +36,7 @@ jobs: name: Custom source root permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index 40ff0cb74..1529a7234 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -32,7 +32,7 @@ jobs: name: Job run UUID added to SARIF permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index a7db4bdf6..0a77e4154 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -32,7 +32,7 @@ jobs: name: Language aliases permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 1bab334dc..5d9cc9974 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -62,7 +62,7 @@ jobs: name: Multi-language repository permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 15aeeb417..bb54bc83a 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config and input passed to the CLI' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index e68085be0..125ca7a7d 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config and input' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index dea5d8eae..db3e9b7ed 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config file' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index cbb91f90d..c5f4bdc35 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Action input' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 198fdde92..a615c66ad 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -34,7 +34,7 @@ jobs: name: Remote config file permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 2c6380323..632e71e65 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -48,7 +48,7 @@ jobs: name: Resolve environment permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 16a6c958d..dca3140bd 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -32,7 +32,7 @@ jobs: name: RuboCop multi-language permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 441b51981..ff9769c01 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -42,7 +42,7 @@ jobs: name: Ruby analysis permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index ea72bde86..c1e0058c1 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -42,7 +42,7 @@ jobs: name: Split workflow permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index e66da8bfd..f2e9b6460 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -36,7 +36,7 @@ jobs: name: Start proxy permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 1f4300d63..4c37ac0ab 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -36,7 +36,8 @@ jobs: name: Submit SARIF after failure permissions: contents: read - security-events: write + security-events: write # needed to upload the SARIF file + timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index 9c17dda79..7be7c0b33 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -32,7 +32,7 @@ jobs: name: Swift analysis using autobuild permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index ae3d80225..1e6009c66 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -36,7 +36,7 @@ jobs: name: Swift analysis using a custom build command permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml index 144ca2173..52fd8c1ab 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__test-autobuild-working-dir.yml @@ -32,7 +32,7 @@ jobs: name: Autobuild working directory permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index 27792efce..c14d9543a 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -32,7 +32,7 @@ jobs: name: Local CodeQL bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index 1b2bb6811..f542d4d4d 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -34,7 +34,7 @@ jobs: name: Proxy test permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 3a2105487..82ac0e60b 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -34,7 +34,7 @@ jobs: name: Test unsetting environment variables permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 7483a8362..a1a5ad4b8 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -36,7 +36,7 @@ jobs: name: "Upload-sarif: 'ref' and 'sha' from inputs" permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index d054ca0ce..524f96517 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -36,7 +36,7 @@ jobs: name: Use a custom `checkout_path` permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__zstd-bundle-streaming.yml b/.github/workflows/__zstd-bundle-streaming.yml index e6fad5708..0a5b39d09 100644 --- a/.github/workflows/__zstd-bundle-streaming.yml +++ b/.github/workflows/__zstd-bundle-streaming.yml @@ -34,7 +34,7 @@ jobs: name: Zstandard bundle (streaming) permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__zstd-bundle.yml b/.github/workflows/__zstd-bundle.yml index f45268af8..a8065cb97 100644 --- a/.github/workflows/__zstd-bundle.yml +++ b/.github/workflows/__zstd-bundle.yml @@ -36,7 +36,7 @@ jobs: name: Zstandard bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0703ff367..130ef5883 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,7 +24,7 @@ jobs: versions: ${{ steps.compare.outputs.versions }} permissions: - security-events: write + contents: read steps: - uses: actions/checkout@v4 @@ -80,7 +80,8 @@ jobs: runs-on: ${{ matrix.os }} permissions: - security-events: write + contents: read + security-events: write # needed to upload results steps: - name: Checkout diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index 9a059a8b1..01795943c 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: read packages: read - security-events: write + security-events: read strategy: fail-fast: false diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml index e76c8920d..fd75a39a1 100644 --- a/.github/workflows/expected-queries-runs.yml +++ b/.github/workflows/expected-queries-runs.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - security-events: write + security-events: read steps: - name: Check out repository uses: actions/checkout@v4 diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 676fa65d1..18ff78248 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -15,7 +15,7 @@ jobs: timeout-minutes: 45 permissions: contents: read - security-events: write + security-events: write # needed to upload ESLint results strategy: fail-fast: false diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 2524f58e4..4d08c2117 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -27,7 +27,7 @@ jobs: name: 'CodeQL Bundle All' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index 7dd5ac76b..070042885 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -14,6 +14,10 @@ env: # Mark telemetry for this workflow so it can be treated separately. CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks +permissions: + contents: read + security-events: write # needed to upload the SARIF file + steps: - uses: actions/checkout@v4 - uses: ./init diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 13ee591af..f27dbdd8f 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -126,7 +126,7 @@ def writeHeader(checkStream): 'name': checkSpecification['name'], 'permissions': { 'contents': 'read', - 'security-events': 'write' + 'security-events': 'read' }, 'timeout-minutes': 45, 'runs-on': '${{ matrix.os }}',