Document what permissions are required #464
Comments
|
Thanks, @brettcannon! Let me look at that. We should also revisit our issue templates. |
|
As far as I can tell, if you are using the default workflow, you should only need the following permissions: Is your workflow doing anything special? |
|
@aeisenberg I'm not entirely sure if you're aware (apologies if you are!), but there was a recent change which allows restricting the default GitHub secret to read-only access. This seems like an excellent best practice to follow (principle of least privilege), but indeed the CodeQL action fails with a non-obvious error message: like @brettcannon I initially suspected it'd need Indeed just setting: permissions:
security-events: writeseemed to fix this for me, but I probably wouldn't have found if it wasn't for this issue. |
|
@aeisenberg It's the vanilla workflow with just the languages we don't use left out: https://github.com/microsoft/vscode-python/blob/main/.github/workflows/codeql-analysis.yml. But you and the @The-Compiler have the solution I was after and couldn't find in the docs! We have flipped all of our repos to the read-only access on workflows, hence the sudden failure (thanks for the forcing function, codecov |
|
Glad this worked out for you. We've recently (ie- yesterday) moved over to using It sounds like the best solution here is to update the documentation. |
|
It's possible that you will also need the: |
Hopefully this fixes the CI actions on the `main`/`master` branches. See: github/codeql-action#464 See: https://github.com/scality/changelog-binder/runs/2896442908?check_suite_focus=true See: #29
Hopefully this fixes the CI actions on the `main`/`master` branches. See: github/codeql-action#464 See: https://github.com/scality/changelog-binder/runs/2896442908?check_suite_focus=true See: #29
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions.
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions.
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions.
We switched our repo to the default read-only permissions for GitHub Actions and our CodeQL workflow started to fail. Based on the failure message it seems the
statuses: writepermission is required.P.S. Sorry to file an issue when the issue template selector only says to open an issue with GitHub Support, but none of the options really made sense since there's not "issues with a GitHub project" option.
The text was updated successfully, but these errors were encountered: