diff --git a/.github/workflows/__all-platform-bundle.yml b/.github/workflows/__all-platform-bundle.yml index 7439f7e16c..99b6b7bb49 100644 --- a/.github/workflows/__all-platform-bundle.yml +++ b/.github/workflows/__all-platform-bundle.yml @@ -32,7 +32,7 @@ jobs: name: All-platform bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 3047b9d73f..52294f42dd 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -36,7 +36,7 @@ jobs: name: "Analyze: 'ref' and 'sha' from inputs" permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-action.yml b/.github/workflows/__autobuild-action.yml index 497f668a08..080f9893a4 100644 --- a/.github/workflows/__autobuild-action.yml +++ b/.github/workflows/__autobuild-action.yml @@ -36,7 +36,7 @@ jobs: name: autobuild-action permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml index 4ee53ef132..3ccdecda5f 100644 --- a/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml +++ b/.github/workflows/__autobuild-direct-tracing-with-working-dir.yml @@ -38,7 +38,7 @@ jobs: name: Autobuild direct tracing (custom working directory) permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__autobuild-direct-tracing.yml b/.github/workflows/__autobuild-direct-tracing.yml index 964f53fd6b..90084856f6 100644 --- a/.github/workflows/__autobuild-direct-tracing.yml +++ b/.github/workflows/__autobuild-direct-tracing.yml @@ -38,7 +38,7 @@ jobs: name: Autobuild direct tracing permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-autobuild.yml b/.github/workflows/__build-mode-autobuild.yml index 3c934442c6..5219e619ca 100644 --- a/.github/workflows/__build-mode-autobuild.yml +++ b/.github/workflows/__build-mode-autobuild.yml @@ -32,7 +32,7 @@ jobs: name: Build mode autobuild permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-manual.yml b/.github/workflows/__build-mode-manual.yml index 74252c9966..cae260261f 100644 --- a/.github/workflows/__build-mode-manual.yml +++ b/.github/workflows/__build-mode-manual.yml @@ -32,7 +32,7 @@ jobs: name: Build mode manual permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-none.yml b/.github/workflows/__build-mode-none.yml index a9ce123f97..f2cccc577a 100644 --- a/.github/workflows/__build-mode-none.yml +++ b/.github/workflows/__build-mode-none.yml @@ -34,7 +34,7 @@ jobs: name: Build mode none permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__build-mode-rollback.yml b/.github/workflows/__build-mode-rollback.yml index 5457a02d59..3573aff7eb 100644 --- a/.github/workflows/__build-mode-rollback.yml +++ b/.github/workflows/__build-mode-rollback.yml @@ -32,7 +32,7 @@ jobs: name: Build mode rollback permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cleanup-db-cluster-dir.yml b/.github/workflows/__cleanup-db-cluster-dir.yml index b6abe761a8..1c1afd1fa9 100644 --- a/.github/workflows/__cleanup-db-cluster-dir.yml +++ b/.github/workflows/__cleanup-db-cluster-dir.yml @@ -32,7 +32,7 @@ jobs: name: Clean up database cluster directory permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-export.yml b/.github/workflows/__config-export.yml index 76b7b9037d..536060cc45 100644 --- a/.github/workflows/__config-export.yml +++ b/.github/workflows/__config-export.yml @@ -42,7 +42,7 @@ jobs: name: Config export permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__config-input.yml b/.github/workflows/__config-input.yml index 1b419aee7b..6afbf58d75 100644 --- a/.github/workflows/__config-input.yml +++ b/.github/workflows/__config-input.yml @@ -32,7 +32,7 @@ jobs: name: Config input permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-disabled.yml b/.github/workflows/__cpp-deptrace-disabled.yml index 17aa07c8bc..11668c95b0 100644 --- a/.github/workflows/__cpp-deptrace-disabled.yml +++ b/.github/workflows/__cpp-deptrace-disabled.yml @@ -36,7 +36,7 @@ jobs: name: 'C/C++: disabling autoinstalling dependencies (Linux)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml index 60997a9172..d2e417161e 100644 --- a/.github/workflows/__cpp-deptrace-enabled-on-macos.yml +++ b/.github/workflows/__cpp-deptrace-enabled-on-macos.yml @@ -32,7 +32,7 @@ jobs: name: 'C/C++: autoinstalling dependencies is skipped (macOS)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__cpp-deptrace-enabled.yml b/.github/workflows/__cpp-deptrace-enabled.yml index ce9087f095..87c665b5b8 100644 --- a/.github/workflows/__cpp-deptrace-enabled.yml +++ b/.github/workflows/__cpp-deptrace-enabled.yml @@ -36,7 +36,7 @@ jobs: name: 'C/C++: autoinstalling dependencies (Linux)' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__diagnostics-export.yml b/.github/workflows/__diagnostics-export.yml index 53014cf36c..1137339478 100644 --- a/.github/workflows/__diagnostics-export.yml +++ b/.github/workflows/__diagnostics-export.yml @@ -42,7 +42,7 @@ jobs: name: Diagnostic export permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__export-file-baseline-information.yml b/.github/workflows/__export-file-baseline-information.yml index e6e38ef8a9..2f48ad4c5c 100644 --- a/.github/workflows/__export-file-baseline-information.yml +++ b/.github/workflows/__export-file-baseline-information.yml @@ -36,7 +36,7 @@ jobs: name: Export file baseline information permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extract-direct-to-toolcache.yml b/.github/workflows/__extract-direct-to-toolcache.yml index 32727c997b..34023f7054 100644 --- a/.github/workflows/__extract-direct-to-toolcache.yml +++ b/.github/workflows/__extract-direct-to-toolcache.yml @@ -36,7 +36,7 @@ jobs: name: Extract directly to toolcache permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__extractor-ram-threads.yml b/.github/workflows/__extractor-ram-threads.yml index 1c38060832..fd2cfd9e88 100644 --- a/.github/workflows/__extractor-ram-threads.yml +++ b/.github/workflows/__extractor-ram-threads.yml @@ -32,7 +32,7 @@ jobs: name: Extractor ram and threads options test permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index 927b2b88b6..5459ab3f05 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -34,7 +34,7 @@ jobs: name: 'Go: Custom queries' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml index 27f1ac7eb7..7136d70ce8 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: diagnostic when Go is changed after init step' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml index 471fc64978..341f4f70af 100644 --- a/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml +++ b/.github/workflows/__go-indirect-tracing-workaround-no-file-program.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: diagnostic when `file` is not installed' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-indirect-tracing-workaround.yml b/.github/workflows/__go-indirect-tracing-workaround.yml index 62459c3eb6..24c95104db 100644 --- a/.github/workflows/__go-indirect-tracing-workaround.yml +++ b/.github/workflows/__go-indirect-tracing-workaround.yml @@ -32,7 +32,7 @@ jobs: name: 'Go: workaround for indirect tracing' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 20caf17005..4e3b485ab7 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with autobuilder step' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index f5dc2333b7..340f6e8758 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with custom build steps' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index 4baab11718..3af8b1e3a7 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -62,7 +62,7 @@ jobs: name: 'Go: tracing with legacy workflow' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__javascript-source-root.yml b/.github/workflows/__javascript-source-root.yml index 04d93978ee..ba2ccd1b5d 100644 --- a/.github/workflows/__javascript-source-root.yml +++ b/.github/workflows/__javascript-source-root.yml @@ -36,7 +36,7 @@ jobs: name: Custom source root permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml index 40ff0cb741..1529a72346 100644 --- a/.github/workflows/__job-run-uuid-sarif.yml +++ b/.github/workflows/__job-run-uuid-sarif.yml @@ -32,7 +32,7 @@ jobs: name: Job run UUID added to SARIF permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__language-aliases.yml b/.github/workflows/__language-aliases.yml index a7db4bdf66..0a77e4154c 100644 --- a/.github/workflows/__language-aliases.yml +++ b/.github/workflows/__language-aliases.yml @@ -32,7 +32,7 @@ jobs: name: Language aliases permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 1bab334dcf..5d9cc99749 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -62,7 +62,7 @@ jobs: name: Multi-language repository permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 15aeeb4171..bb54bc83a7 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config and input passed to the CLI' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index e68085be0c..125ca7a7de 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config and input' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index dea5d8eae3..db3e9b7ed5 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Config file' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index cbb91f90dc..c5f4bdc355 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -48,7 +48,7 @@ jobs: name: 'Packaging: Action input' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index 198fdde921..a615c66ad3 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -34,7 +34,7 @@ jobs: name: Remote config file permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__resolve-environment-action.yml b/.github/workflows/__resolve-environment-action.yml index 2c6380323d..632e71e65c 100644 --- a/.github/workflows/__resolve-environment-action.yml +++ b/.github/workflows/__resolve-environment-action.yml @@ -48,7 +48,7 @@ jobs: name: Resolve environment permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__rubocop-multi-language.yml b/.github/workflows/__rubocop-multi-language.yml index 16a6c958d9..dca3140bd5 100644 --- a/.github/workflows/__rubocop-multi-language.yml +++ b/.github/workflows/__rubocop-multi-language.yml @@ -32,7 +32,7 @@ jobs: name: RuboCop multi-language permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__ruby.yml b/.github/workflows/__ruby.yml index 441b51981c..ff9769c01a 100644 --- a/.github/workflows/__ruby.yml +++ b/.github/workflows/__ruby.yml @@ -42,7 +42,7 @@ jobs: name: Ruby analysis permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__split-workflow.yml b/.github/workflows/__split-workflow.yml index ea72bde861..c1e0058c16 100644 --- a/.github/workflows/__split-workflow.yml +++ b/.github/workflows/__split-workflow.yml @@ -42,7 +42,7 @@ jobs: name: Split workflow permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__start-proxy.yml b/.github/workflows/__start-proxy.yml index e66da8bfd9..f2e9b64600 100644 --- a/.github/workflows/__start-proxy.yml +++ b/.github/workflows/__start-proxy.yml @@ -36,7 +36,7 @@ jobs: name: Start proxy permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__submit-sarif-failure.yml b/.github/workflows/__submit-sarif-failure.yml index 1f4300d630..4c37ac0ab4 100644 --- a/.github/workflows/__submit-sarif-failure.yml +++ b/.github/workflows/__submit-sarif-failure.yml @@ -36,7 +36,8 @@ jobs: name: Submit SARIF after failure permissions: contents: read - security-events: write + security-events: write # needed to upload the SARIF file + timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-autobuild.yml b/.github/workflows/__swift-autobuild.yml index 9c17dda79c..7be7c0b339 100644 --- a/.github/workflows/__swift-autobuild.yml +++ b/.github/workflows/__swift-autobuild.yml @@ -32,7 +32,7 @@ jobs: name: Swift analysis using autobuild permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__swift-custom-build.yml b/.github/workflows/__swift-custom-build.yml index ae3d802250..1e6009c66c 100644 --- a/.github/workflows/__swift-custom-build.yml +++ b/.github/workflows/__swift-custom-build.yml @@ -36,7 +36,7 @@ jobs: name: Swift analysis using a custom build command permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-autobuild-working-dir.yml b/.github/workflows/__test-autobuild-working-dir.yml index 144ca2173d..52fd8c1ab9 100644 --- a/.github/workflows/__test-autobuild-working-dir.yml +++ b/.github/workflows/__test-autobuild-working-dir.yml @@ -32,7 +32,7 @@ jobs: name: Autobuild working directory permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-local-codeql.yml b/.github/workflows/__test-local-codeql.yml index 27792efce0..c14d9543aa 100644 --- a/.github/workflows/__test-local-codeql.yml +++ b/.github/workflows/__test-local-codeql.yml @@ -32,7 +32,7 @@ jobs: name: Local CodeQL bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__test-proxy.yml b/.github/workflows/__test-proxy.yml index 1b2bb68117..f542d4d4d4 100644 --- a/.github/workflows/__test-proxy.yml +++ b/.github/workflows/__test-proxy.yml @@ -34,7 +34,7 @@ jobs: name: Proxy test permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index 3a21054876..82ac0e60b9 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -34,7 +34,7 @@ jobs: name: Test unsetting environment variables permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 7483a83621..a1a5ad4b89 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -36,7 +36,7 @@ jobs: name: "Upload-sarif: 'ref' and 'sha' from inputs" permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index d054ca0cef..524f965175 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -36,7 +36,7 @@ jobs: name: Use a custom `checkout_path` permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__zstd-bundle-streaming.yml b/.github/workflows/__zstd-bundle-streaming.yml index e6fad57086..0a5b39d09c 100644 --- a/.github/workflows/__zstd-bundle-streaming.yml +++ b/.github/workflows/__zstd-bundle-streaming.yml @@ -34,7 +34,7 @@ jobs: name: Zstandard bundle (streaming) permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/__zstd-bundle.yml b/.github/workflows/__zstd-bundle.yml index f45268af84..a8065cb977 100644 --- a/.github/workflows/__zstd-bundle.yml +++ b/.github/workflows/__zstd-bundle.yml @@ -36,7 +36,7 @@ jobs: name: Zstandard bundle permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml index c5d225b410..fd1d7c5ae8 100644 --- a/.github/workflows/check-expected-release-files.yml +++ b/.github/workflows/check-expected-release-files.yml @@ -13,6 +13,9 @@ jobs: check-expected-release-files: runs-on: ubuntu-latest + permissions: + contents: read + steps: - name: Checkout CodeQL Action uses: actions/checkout@v4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0703ff3676..130ef58839 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,7 +24,7 @@ jobs: versions: ${{ steps.compare.outputs.versions }} permissions: - security-events: write + contents: read steps: - uses: actions/checkout@v4 @@ -80,7 +80,8 @@ jobs: runs-on: ${{ matrix.os }} permissions: - security-events: write + contents: read + security-events: write # needed to upload results steps: - name: Checkout diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml index c4cd4eeaa8..01795943cb 100644 --- a/.github/workflows/codescanning-config-cli.yml +++ b/.github/workflows/codescanning-config-cli.yml @@ -23,6 +23,11 @@ jobs: code-scanning-config-tests: continue-on-error: true + permissions: + contents: read + packages: read + security-events: read + strategy: fail-fast: false matrix: diff --git a/.github/workflows/debug-artifacts-failure.yml b/.github/workflows/debug-artifacts-failure.yml index 4efa196511..995071df6a 100644 --- a/.github/workflows/debug-artifacts-failure.yml +++ b/.github/workflows/debug-artifacts-failure.yml @@ -23,6 +23,8 @@ jobs: continue-on-error: true env: CODEQL_ACTION_TEST_MODE: true + permissions: + contents: read timeout-minutes: 45 runs-on: ubuntu-latest steps: @@ -58,6 +60,8 @@ jobs: name: Download and check debug artifacts after failure in analyze needs: upload-artifacts timeout-minutes: 45 + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Download all artifacts diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml index a8cf710085..2dd0691359 100644 --- a/.github/workflows/debug-artifacts.yml +++ b/.github/workflows/debug-artifacts.yml @@ -34,6 +34,8 @@ jobs: env: CODEQL_ACTION_TEST_MODE: true timeout-minutes: 45 + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Check out repository @@ -64,6 +66,8 @@ jobs: name: Download and check debug artifacts needs: upload-artifacts timeout-minutes: 45 + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Download all artifacts diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml index e76c8920d8..fd75a39a1e 100644 --- a/.github/workflows/expected-queries-runs.yml +++ b/.github/workflows/expected-queries-runs.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - security-events: write + security-events: read steps: - name: Check out repository uses: actions/checkout@v4 diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml index f6896fb22b..9b0b35118a 100644 --- a/.github/workflows/post-release-mergeback.yml +++ b/.github/workflows/post-release-mergeback.yml @@ -27,6 +27,9 @@ jobs: BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}" HEAD_BRANCH: "${{ github.head_ref || github.ref }}" + permissions: + contents: write # needed to create tags and push commits + steps: - name: Dump environment run: env diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index bd406774b8..18ff782489 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -15,7 +15,7 @@ jobs: timeout-minutes: 45 permissions: contents: read - security-events: write + security-events: write # needed to upload ESLint results strategy: fail-fast: false @@ -40,6 +40,8 @@ jobs: check-node-modules: if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') name: Check modules up to date + permissions: + contents: read runs-on: macos-latest timeout-minutes: 45 @@ -51,6 +53,8 @@ jobs: check-file-contents: if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v') name: Check file contents + permissions: + contents: read runs-on: ubuntu-latest timeout-minutes: 45 @@ -81,6 +85,8 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] + permissions: + contents: read runs-on: ${{ matrix.os }} timeout-minutes: 45 @@ -101,6 +107,9 @@ jobs: env: BASE_REF: ${{ github.base_ref }} + permissions: + contents: read + steps: - uses: actions/checkout@v4 - id: head-version diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index da5226dc29..b9eba295b7 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -17,6 +17,8 @@ jobs: env: CODEQL_ACTION_TEST_MODE: true timeout-minutes: 45 + permissions: + contents: read runs-on: windows-latest steps: diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index c2dcb2c690..97cac94fbd 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -11,6 +11,9 @@ jobs: runs-on: ubuntu-latest if: github.event.label.name == 'Rebuild' + permissions: + contents: write # needed to push rebuilt commit + pull-requests: write # needed to comment on the PR steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/test-codeql-bundle-all.yml b/.github/workflows/test-codeql-bundle-all.yml index 2524f58e48..4d08c2117c 100644 --- a/.github/workflows/test-codeql-bundle-all.yml +++ b/.github/workflows/test-codeql-bundle-all.yml @@ -27,7 +27,7 @@ jobs: name: 'CodeQL Bundle All' permissions: contents: read - security-events: write + security-events: read timeout-minutes: 45 runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml index 36a96c7399..73ab6b4141 100644 --- a/.github/workflows/update-bundle.yml +++ b/.github/workflows/update-bundle.yml @@ -17,6 +17,9 @@ jobs: update-bundle: if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-') runs-on: ubuntu-latest + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull requests steps: - name: Dump environment run: env diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 0d24650e05..364dec011f 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -9,6 +9,9 @@ jobs: timeout-minutes: 45 runs-on: macos-latest if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action') + permissions: + contents: write # needed to push the updated dependencies + pull-requests: write # needed to comment on the PR steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml index cac2c67b10..71bd817a79 100644 --- a/.github/workflows/update-release-branch.yml +++ b/.github/workflows/update-release-branch.yml @@ -22,6 +22,8 @@ jobs: latest_tag: ${{ steps.versions.outputs.latest_tag }} backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }} backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }} + permissions: + contents: read steps: - uses: actions/checkout@v4 with: @@ -63,6 +65,9 @@ jobs: REPOSITORY: "${{ github.repository }}" MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}" LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}" + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull request steps: - uses: actions/checkout@v4 with: @@ -114,6 +119,9 @@ jobs: env: SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }} TARGET_BRANCH: ${{ matrix.target_branch }} + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull request steps: - name: Generate token uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml index 6900101006..5eaa167c36 100644 --- a/.github/workflows/update-supported-enterprise-server-versions.yml +++ b/.github/workflows/update-supported-enterprise-server-versions.yml @@ -10,7 +10,10 @@ jobs: name: Update Supported Enterprise Server Versions timeout-minutes: 45 runs-on: ubuntu-latest - if: ${{ github.repository == 'github/codeql-action' }} + if: github.repository == 'github/codeql-action' + permissions: + contents: write # needed to push commits + pull-requests: write # needed to create pull request steps: - name: Setup Python diff --git a/pr-checks/checks/submit-sarif-failure.yml b/pr-checks/checks/submit-sarif-failure.yml index 7dd5ac76ba..0700428853 100644 --- a/pr-checks/checks/submit-sarif-failure.yml +++ b/pr-checks/checks/submit-sarif-failure.yml @@ -14,6 +14,10 @@ env: # Mark telemetry for this workflow so it can be treated separately. CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks +permissions: + contents: read + security-events: write # needed to upload the SARIF file + steps: - uses: actions/checkout@v4 - uses: ./init diff --git a/pr-checks/sync.py b/pr-checks/sync.py index 13ee591af9..f27dbdd8f3 100755 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -126,7 +126,7 @@ def writeHeader(checkStream): 'name': checkSpecification['name'], 'permissions': { 'contents': 'read', - 'security-events': 'write' + 'security-events': 'read' }, 'timeout-minutes': 45, 'runs-on': '${{ matrix.os }}',