refactor(workflow): changes default permissions to read for few workflows increasing security #6
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The CodeQL workflow is used for code scanning to identify vulnerabilities and errors in your codebase | ||
| name: codeql | ||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| branches: [main] | ||
| schedule: | ||
| - cron: 0 0 * * 1 | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| analyze: | ||
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: ["cpp","python"] | ||
| steps: | ||
| - uses: action/checkout@v4 | ||
| - name: Initialize codeql | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| - name: Autobuild | ||
| if: ${{ matrix.language == "python" }} | ||
|
Check failure on line 43 in .github/workflows/codeql.yml
|
||
| uses: github/codeql-action/autobuild@v3 | ||
| - name: build | ||
| if: ${{ matrix.language == "cpp" }} | ||
| run: | | ||
| echo "build application using script" | ||
| ./dragonfly/tools/release.sh | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 | ||
| with: | ||
| category: "/language:${{matrix.language}}" | ||
