-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workflows are missing permissions requests #15462
Workflows are missing permissions requests #15462
Comments
I believe |
https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning
I see no way for me to control it. This org actively relies on sarif analysis, so it shouldn't be disabled... I certainly don't actively try to turn things like this off... |
Thanks for reporting this. Could you try re-running the workflows. It might be that the problem was temporary. If it works now (or doesn't work), this will give us more information for us to address the root cause. |
https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/21030726761#step:3:21
|
It sounds like @angelapwen and co will write a PR to make the That said, I've posted a PR which should cover the general problem that these workflows aren't declaring their required permissions (they don't) which is a problem for paranoid forks -- and ideally most contributors to a project like codeql would configure their forks with the safer permissions settings. |
Ah, you beat me to writing an update on this issue! Yes, we also just noticed that your workflow began succeeding 🥳 once you added the Regarding the API, yes, your understanding is accurate! The change to make the As a side note, the CodeQL Action is also open source (https://github.com/github/codeql-action/) if you'd like to contribute in the future 😆 |
Fwiw, it'd be really nice if the codeql things that make these api calls reported a friendly error when they detect a missing permissions. check-spelling does this in various places: |
I've contributed to both. https://github.com/github/codeql-action/pulls?q=is%3Apr+author%3Ajsoref+is%3Aclosed |
Thanks for sharing. We'll look at adding this (or some alternative that does something similar) to the CodeQL Action! |
I've posted:
|
This isn't actually fixed yet. The downside of splitting things is that I apparently broke the metadata. |
Oh, yes 😺 Reopening this issue to track. |
https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/workflow
https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/20979906681#step:19:55
I presume that it needs:
or similar, but this api isn't documented in https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28 so I have absolutely no idea.
The text was updated successfully, but these errors were encountered: