-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document what permissions are required #464
Comments
Thanks, @brettcannon! Let me look at that. We should also revisit our issue templates. |
As far as I can tell, if you are using the default workflow, you should only need the following permissions:
Is your workflow doing anything special? |
@aeisenberg I'm not entirely sure if you're aware (apologies if you are!), but there was a recent change which allows restricting the default GitHub secret to read-only access. This seems like an excellent best practice to follow (principle of least privilege), but indeed the CodeQL action fails with a non-obvious error message:
like @brettcannon I initially suspected it'd need Indeed just setting: permissions:
security-events: write seemed to fix this for me, but I probably wouldn't have found if it wasn't for this issue. |
@aeisenberg It's the vanilla workflow with just the languages we don't use left out: https://github.com/microsoft/vscode-python/blob/main/.github/workflows/codeql-analysis.yml. But you and the @The-Compiler have the solution I was after and couldn't find in the docs! We have flipped all of our repos to the read-only access on workflows, hence the sudden failure (thanks for the forcing function, codecov 😉 ). |
Glad this worked out for you. We've recently (ie- yesterday) moved over to using It sounds like the best solution here is to update the documentation. |
It's possible that you will also need the: |
Hopefully this fixes the CI actions on the `main`/`master` branches. See: github/codeql-action#464 See: https://github.com/scality/changelog-binder/runs/2896442908?check_suite_focus=true See: #29
Hopefully this fixes the CI actions on the `main`/`master` branches. See: github/codeql-action#464 See: https://github.com/scality/changelog-binder/runs/2896442908?check_suite_focus=true See: #29
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions.
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions.
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. (cherry picked from commit b8a9e9f)
I too came looking for the correct permissions to lock down a codeql workflow to, and think that all you need here is to put the suggestion from #464 (comment) or even #464 (comment) in the example in the README and the default template and you'll have resolved this issue. |
README is updated, but we haven't made changes yet to the suggested workflows. |
- Enable codeql writing security-events. GitHub set the default permissions to read, apparently since earlier this year. Ref: github/codeql-action#464 Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ Fixes #7575 Closes #7576
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. (cherry picked from commit b8a9e9f)
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. (cherry picked from commit b8a9e9f)
We recently started getting the message request: { method: 'PUT', url: 'https://api.github.com/repos/cilium/cilium/code-scanning/analysis/status', headers: { accept: 'application/vnd.github.v3+json', 'user-agent': 'CodeQL Action octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)', authorization: 'token [REDACTED]', 'content-type': 'application/json; charset=utf-8' }, body: '{"workflow_run_id":1221776932,"workflow_name":"codeql","job_name":"analyze","analysis_key":".github/workflows/lint-codeql.yaml:analyze","commit_oid":"d82ac6f54c0118088cc46d8d892ff5e87cf5d09e","ref":"refs/heads/master","action_name":"init","action_ref":"b7dd4a6f2c343e29a9ab8e181b2f540816f28bd7","action_oid":"unknown","started_at":"2021-09-10T15:35:29.029Z","action_started_at":"2021-09-10T15:35:29.029Z","status":"starting","cause":"MismatchedBranches","matrix_vars":"null"}', request: { agent: [Agent], hook: [Function: bound bound register] } }, documentation_url: 'https://docs.github.com/rest' } Error: Resource not accessible by integration when CodeQL runs on CI. From reading github/codeql-action#464, permission to write security events is needed. Signed-off-by: Tom Payne <tom@isovalent.com>
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. (cherry picked from commit b8a9e9fba6737500bdcce920028ece87a31ab129) GitOrigin-RevId: 6720544199537def2092555f01be32b4b7359779
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
based on this issue: github/codeql-action#464
based on this issue: github/codeql-action#464
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
After limiting permissions, our CodeQL workflow started failing. This is because it needs some extra permissions as explained in the github/codeql-action#464 This PR adds the required permissions. GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
We switched our repo to the default read-only permissions for GitHub Actions and our CodeQL workflow started to fail. Based on the failure message it seems the
statuses: write
permission is required.P.S. Sorry to file an issue when the issue template selector only says to open an issue with GitHub Support, but none of the options really made sense since there's not "issues with a GitHub project" option.
The text was updated successfully, but these errors were encountered: