From e9aa2c6f62b2fdd057b1faf99cc69cabe9348866 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Mon, 31 Jan 2022 16:11:00 -0800 Subject: [PATCH] Add a permissions block for generated workflows Ensure that all workflows are able to write security events. --- .github/workflows/__debug-artifacts.yml | 2 ++ .github/workflows/__extractor-ram-threads.yml | 2 ++ .github/workflows/__go-custom-queries.yml | 2 ++ .github/workflows/__go-custom-tracing-autobuild.yml | 2 ++ .github/workflows/__go-custom-tracing.yml | 2 ++ .github/workflows/__javascript-source-root.yml | 2 ++ .github/workflows/__multi-language-autodetect.yml | 2 ++ .github/workflows/__packaging-config-inputs-js.yml | 2 ++ .github/workflows/__packaging-config-js.yml | 2 ++ .github/workflows/__packaging-inputs-js.yml | 2 ++ .github/workflows/__remote-config.yml | 2 ++ .github/workflows/__rubocop-multi-language.yml | 2 ++ .github/workflows/__split-workflow.yml | 2 ++ .github/workflows/__test-local-codeql.yml | 2 ++ .github/workflows/__test-proxy.yml | 2 ++ .github/workflows/__test-ruby.yml | 2 ++ .github/workflows/__unset-environment.yml | 2 ++ pr-checks/sync.py | 4 +++- 18 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/workflows/__debug-artifacts.yml b/.github/workflows/__debug-artifacts.yml index d034ff894..d414e2428 100644 --- a/.github/workflows/__debug-artifacts.yml +++ b/.github/workflows/__debug-artifacts.yml @@ -32,6 +32,8 @@ jobs: - nightly-latest os: [ubuntu-latest, macos-latest] name: Debug artifact upload + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index dd916d568..d0e7bf187 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -26,6 +26,8 @@ jobs: version: [latest] os: [ubuntu-latest] name: Extractor ram and threads options test + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index 2e71b5cff..6c87a8e46 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -35,6 +35,8 @@ jobs: - macos-latest - windows-latest name: 'Go: Custom queries' + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__go-custom-tracing-autobuild.yml b/.github/workflows/__go-custom-tracing-autobuild.yml index 6d2da9331..16643a0b6 100644 --- a/.github/workflows/__go-custom-tracing-autobuild.yml +++ b/.github/workflows/__go-custom-tracing-autobuild.yml @@ -32,6 +32,8 @@ jobs: - nightly-latest os: [ubuntu-latest, macos-latest] name: 'Go: Autobuild custom tracing' + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__go-custom-tracing.yml b/.github/workflows/__go-custom-tracing.yml index 49bf78e67..6cd67dab7 100644 --- a/.github/workflows/__go-custom-tracing.yml +++ b/.github/workflows/__go-custom-tracing.yml @@ -35,6 +35,8 @@ jobs: - macos-latest - windows-latest name: 'Go: Custom tracing' + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index 44260b80b..df4c4e787 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -26,6 +26,8 @@ jobs: version: [latest, cached, nightly-latest] # This feature is not compatible with old CLIs os: [ubuntu-latest] name: Custom source root + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index d7b43c477..65df2321b 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -32,6 +32,8 @@ jobs: - nightly-latest os: [ubuntu-latest, macos-latest] name: Multi-language repository + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 824a0041b..0a5a4fec2 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -26,6 +26,8 @@ jobs: version: [nightly-20210831] # This CLI version is known to work with package used in this test os: [ubuntu-latest, macos-latest] name: 'Packaging: Config and input' + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index 0a2ece98a..2e96071f3 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -26,6 +26,8 @@ jobs: version: [nightly-20210831] # This CLI version is known to work with package used in this test os: [ubuntu-latest, macos-latest] name: 'Packaging: Config file' + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 686d6f32f..d7fb4e0a2 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -26,6 +26,8 @@ jobs: version: [nightly-20210831] # This CLI version is known to work with package used in this test os: [ubuntu-latest, macos-latest] name: 'Packaging: Action input' + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index de01cd994..72d717f19 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -35,6 +35,8 @@ jobs: - macos-latest - windows-latest name: Remote config file + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index cc8f77bb1..d2f11f0f3 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -32,6 +32,8 @@ jobs: - nightly-latest os: [ubuntu-latest] name: RuboCop multi-language + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index dc9d41116..eb408c174 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -26,6 +26,8 @@ jobs: version: [nightly-20210831] # This CLI version is known to work with package used in this test os: [ubuntu-latest, macos-latest] name: Split workflow + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index c2e067cd5..c5cbea166 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -26,6 +26,8 @@ jobs: version: [nightly-latest] os: [ubuntu-latest] name: Local CodeQL bundle + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index 582104acd..a203a8e80 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -26,6 +26,8 @@ jobs: version: [latest] os: [ubuntu-latest] name: Proxy test + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__test-ruby.yml b/.github/workflows/__test-ruby.yml index 03979f130..17baa790e 100644 --- a/.github/workflows/__test-ruby.yml +++ b/.github/workflows/__test-ruby.yml @@ -26,6 +26,8 @@ jobs: version: [latest, cached, nightly-latest] os: [ubuntu-latest, macos-latest] name: Ruby analysis + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index fbff545d5..c075a3c69 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -32,6 +32,8 @@ jobs: - nightly-latest os: [ubuntu-latest] name: Test unsetting environment variables + permissions: + security-events: write runs-on: ${{ matrix.os }} steps: - name: Check out repository diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 411c9da8d..dd6b234c0 100644 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -23,7 +23,6 @@ """ - class NonAliasingRTRepresenter(ruamel.yaml.representer.RoundTripRepresenter): def ignore_aliases(self, data): return True @@ -71,6 +70,9 @@ def writeHeader(checkStream): } }, 'name': checkSpecification['name'], + 'permissions': { + 'security-events': 'write' + }, 'runs-on': '${{ matrix.os }}', 'steps': steps }