Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document what permissions are required #464

Closed
brettcannon opened this issue Apr 28, 2021 · 8 comments · Fixed by #689
Closed

Document what permissions are required #464

brettcannon opened this issue Apr 28, 2021 · 8 comments · Fixed by #689
Assignees

Comments

@brettcannon
Copy link

We switched our repo to the default read-only permissions for GitHub Actions and our CodeQL workflow started to fail. Based on the failure message it seems the statuses: write permission is required.

P.S. Sorry to file an issue when the issue template selector only says to open an issue with GitHub Support, but none of the options really made sense since there's not "issues with a GitHub project" option.

@aeisenberg
Copy link
Contributor

Thanks, @brettcannon! Let me look at that.

We should also revisit our issue templates.

@aeisenberg aeisenberg self-assigned this Apr 28, 2021
@aeisenberg
Copy link
Contributor

As far as I can tell, if you are using the default workflow, you should only need the following permissions:

    permissions:
      contents: read
      security-events: write
      pull-requests: read

Is your workflow doing anything special?

@The-Compiler
Copy link
Contributor

@aeisenberg I'm not entirely sure if you're aware (apologies if you are!), but there was a recent change which allows restricting the default GitHub secret to read-only access.

This seems like an excellent best practice to follow (principle of least privilege), but indeed the CodeQL action fails with a non-obvious error message:

[...]
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/qutebrowser/qutebrowser/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL Action octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: [...]
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

like @brettcannon I initially suspected it'd need statuses: write (based on the API URL used), but that didn't help.

Indeed just setting:

permissions:
  security-events: write

seemed to fix this for me, but I probably wouldn't have found if it wasn't for this issue.

brettcannon added a commit to brettcannon/vscode-python that referenced this issue Apr 28, 2021
@brettcannon
Copy link
Author

@aeisenberg It's the vanilla workflow with just the languages we don't use left out: https://github.com/microsoft/vscode-python/blob/main/.github/workflows/codeql-analysis.yml.

But you and the @The-Compiler have the solution I was after and couldn't find in the docs! We have flipped all of our repos to the read-only access on workflows, hence the sudden failure (thanks for the forcing function, codecov 😉 ).

@aeisenberg
Copy link
Contributor

Glad this worked out for you. We've recently (ie- yesterday) moved over to using permissions on our own repositories and workflows, so we are still figuring this out ourselves.

It sounds like the best solution here is to update the documentation.

@aeisenberg
Copy link
Contributor

It's possible that you will also need the: actions: read permission. Some code flows will make requests to introspect the current workflow and this permission is needed. So, if you get any more failures, try adding that permission as well.

charleskorn added a commit to batect/abacus that referenced this issue May 11, 2021
samth added a commit to racket/racket that referenced this issue May 12, 2021
maueroats pushed a commit to maueroats/racket that referenced this issue Jun 17, 2021
maueroats pushed a commit to maueroats/racket that referenced this issue Jun 17, 2021
NicolasT added a commit to scality/changelog-binder that referenced this issue Jun 23, 2021
NicolasT added a commit to scality/changelog-binder that referenced this issue Jun 23, 2021
potiuk added a commit to potiuk/airflow that referenced this issue Jun 25, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.
potiuk added a commit to apache/airflow that referenced this issue Jun 25, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.
potiuk added a commit to apache/airflow that referenced this issue Jul 18, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

(cherry picked from commit b8a9e9f)
@jaqx0r
Copy link

jaqx0r commented Aug 9, 2021

I too came looking for the correct permissions to lock down a codeql workflow to, and think that all you need here is to put the suggestion from #464 (comment) or even #464 (comment) in the example in the README and the default template and you'll have resolved this issue.

@aeisenberg
Copy link
Contributor

README is updated, but we haven't made changes yet to the suggested workflows.

jay added a commit to curl/curl that referenced this issue Aug 17, 2021
- Enable codeql writing security-events.

GitHub set the default permissions to read, apparently since earlier
this year.

Ref: github/codeql-action#464
Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/

Fixes #7575
Closes #7576
kaxil pushed a commit to apache/airflow that referenced this issue Aug 17, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

(cherry picked from commit b8a9e9f)
jhtimmins pushed a commit to apache/airflow that referenced this issue Aug 17, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

(cherry picked from commit b8a9e9f)
aanm pushed a commit to cilium/cilium that referenced this issue Sep 15, 2021
We recently started getting the message

  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/cilium/cilium/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL Action octokit-core.js/3.1.2 Node.js/12.13.1 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"workflow_run_id":1221776932,"workflow_name":"codeql","job_name":"analyze","analysis_key":".github/workflows/lint-codeql.yaml:analyze","commit_oid":"d82ac6f54c0118088cc46d8d892ff5e87cf5d09e","ref":"refs/heads/master","action_name":"init","action_ref":"b7dd4a6f2c343e29a9ab8e181b2f540816f28bd7","action_oid":"unknown","started_at":"2021-09-10T15:35:29.029Z","action_started_at":"2021-09-10T15:35:29.029Z","status":"starting","cause":"MismatchedBranches","matrix_vars":"null"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

when CodeQL runs on CI.

From reading github/codeql-action#464,
permission to write security events is needed.

Signed-off-by: Tom Payne <tom@isovalent.com>
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Nov 27, 2021
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

(cherry picked from commit b8a9e9fba6737500bdcce920028ece87a31ab129)

GitOrigin-RevId: 6720544199537def2092555f01be32b4b7359779
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Mar 10, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Jun 4, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
kosteev pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Jul 10, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Aug 27, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Oct 4, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
aglipska pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Oct 7, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Dec 7, 2022
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
leahecole pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Jan 27, 2023
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
chensation added a commit to microsoft/service-fabric-explorer that referenced this issue Apr 2, 2024
chensation added a commit to microsoft/service-fabric-explorer that referenced this issue Apr 2, 2024
kosteev pushed a commit to kosteev/composer-airflow-test-copybara that referenced this issue Sep 12, 2024
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
kosteev pushed a commit to kosteev/composer-airflow-test-copybara that referenced this issue Sep 13, 2024
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
kosteev pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Sep 17, 2024
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
kosteev pushed a commit to GoogleCloudPlatform/composer-airflow that referenced this issue Nov 7, 2024
After limiting permissions, our CodeQL workflow started failing.

This is because it needs some extra permissions as explained in
the github/codeql-action#464

This PR adds the required permissions.

GitOrigin-RevId: b8a9e9fba6737500bdcce920028ece87a31ab129
jas88 pushed a commit to jas88/LineReader that referenced this issue Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants