Mercurial > vim
annotate .github/workflows/codeql-analysis.yml @ 30515:5b94b8c82687 v9.0.0593
patch 9.0.0593: CI actions have too many permissions
Commit: https://github.com/vim/vim/commit/311df6bb0f861154e6a27144c226c805c7554a94
Author: Alex <aleksandrosansan@gmail.com>
Date: Mon Sep 26 15:52:46 2022 +0100
patch 9.0.0593: CI actions have too many permissions
Problem: CI actions have too many permissions.
Solution: Restrict permissions to what is required. (closes https://github.com/vim/vim/issues/11223)
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Mon, 26 Sep 2022 17:00:03 +0200 |
| parents | a8c0c5865e73 |
| children | db65486d8d75 |
| rev | line source |
|---|---|
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
1 # For most projects, this workflow file will not need changing; you simply need |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
2 # to commit it to your repository. |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
3 # |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
4 # You may wish to alter this file to override the set of languages analyzed, |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
5 # or to provide custom queries or build logic. |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
6 name: "CodeQL" |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
7 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
8 on: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
9 push: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
10 branches: [master] |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
11 pull_request: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
12 # The branches below must be a subset of the branches above |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
13 branches: [master] |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
14 schedule: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
15 - cron: '0 18 * * 1' |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
16 |
|
26725
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
17 # Cancels all previous workflow runs for pull requests that have not completed. |
|
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
18 concurrency: |
|
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
19 # The concurrency group contains the workflow name and the branch name for |
|
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
20 # pull requests or the commit hash for any other events. |
|
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
21 group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} |
|
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
22 cancel-in-progress: true |
|
11383a35b497
patch 8.2.3891: github CI: workflows may overlap
Bram Moolenaar <Bram@vim.org>
parents:
25700
diff
changeset
|
23 |
|
30515
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
24 permissions: |
|
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
25 contents: read # to fetch code (actions/checkout) |
|
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
26 |
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
27 jobs: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
28 analyze: |
|
30515
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
29 permissions: |
|
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
30 contents: read # to fetch code (actions/checkout) |
|
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
31 security-events: write # (github/codeql-action/autobuild) |
|
5b94b8c82687
patch 9.0.0593: CI actions have too many permissions
Bram Moolenaar <Bram@vim.org>
parents:
29060
diff
changeset
|
32 |
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
33 name: Analyze |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
34 runs-on: ubuntu-latest |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
35 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
36 strategy: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
37 fail-fast: false |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
38 matrix: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
39 # Override automatic language detection by changing the below list |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
40 # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
41 language: ['cpp', 'python'] |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
42 # Learn more... |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
43 # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
44 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
45 steps: |
|
29060
a8c0c5865e73
patch 8.2.5052: CI checkout step title is a bit cryptic
Bram Moolenaar <Bram@vim.org>
parents:
28927
diff
changeset
|
46 - name: Checkout repository from github |
|
28927
272a24b53d0c
patch 8.2.4986: some github actions are outdated
Bram Moolenaar <Bram@vim.org>
parents:
26725
diff
changeset
|
47 uses: actions/checkout@v3 |
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
48 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
49 # Initializes the CodeQL tools for scanning. |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
50 - name: Initialize CodeQL |
|
28927
272a24b53d0c
patch 8.2.4986: some github actions are outdated
Bram Moolenaar <Bram@vim.org>
parents:
26725
diff
changeset
|
51 uses: github/codeql-action/init@v2 |
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
52 with: |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
53 languages: ${{ matrix.language }} |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
54 # If you wish to specify custom queries, you can do so here or in a config file. |
| 25700 | 55 # By default, queries listed here will override any specified in a config file. |
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
56 # Prefix the list here with "+" to use these queries and those in the config file. |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
57 # queries: ./path/to/local/query, your-org/your-repo/queries@main |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
58 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
59 # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
60 # If this step fails, then you should remove it and run the build manually (see below) |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
61 - name: Autobuild |
|
28927
272a24b53d0c
patch 8.2.4986: some github actions are outdated
Bram Moolenaar <Bram@vim.org>
parents:
26725
diff
changeset
|
62 uses: github/codeql-action/autobuild@v2 |
|
22472
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
63 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
64 # âšī¸ Command-line programs to run using the OS shell. |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
65 # đ https://git.io/JvXDl |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
66 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
67 # âī¸ If the Autobuild fails above, remove it and uncomment the following three lines |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
68 # and modify them (or add more) to build your code if your project |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
69 # uses a compiled language |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
70 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
71 #- run: | |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
72 # make bootstrap |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
73 # make release |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
74 |
|
90d5201dee5f
patch 8.2.1784: commits are not scanned for security problems
Bram Moolenaar <Bram@vim.org>
parents:
diff
changeset
|
75 - name: Perform CodeQL Analysis |
|
28927
272a24b53d0c
patch 8.2.4986: some github actions are outdated
Bram Moolenaar <Bram@vim.org>
parents:
26725
diff
changeset
|
76 uses: github/codeql-action/analyze@v2 |