Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document required workflow permissions (README regression) #1913

Open
GregDomzalski opened this issue Oct 2, 2023 · 5 comments
Open

Document required workflow permissions (README regression) #1913

GregDomzalski opened this issue Oct 2, 2023 · 5 comments
Labels
CodeQL Action This repo! Helps for internal planning documentation Improvements or additions to documentation good first issue Good for newcomers

Comments

@GregDomzalski
Copy link

Hello,

I've come across quite a few issues in the repo here that seem to boil down to people not knowing what permissions are needed for enabling CodeQL to work in their workflows. I believe for private repo they are:

      # required for all workflows
      security-events: write

      # only required for workflows in private repositories
      actions: read
      contents: read

These were documented in an old version of the README, which was super helpful. This was removed by this commit.

The documentation the current README points to seems to focus around enabling CodeQL or Advanced Security for new repos or enabling it for the first time.

But we have several repos that have been around for some time. It doesn't seem right that we should disable/remove CodeQL only to re-enable it using the "defaults" listed above.

I've clicked through all of the links that the current README point to but none of them describe what permissions the code scanning features require. This information seems important to capture somewhere. As a security minded organization, we want to make sure we're only enabling the minimum set of permissions in a repo, and it would be helpful to understand also why a certain action requires a particular permission.

Could we please add a note on permissions on either the About code scanning with CodeQL page, or one that is easily found from that page?

Thanks!
@adityasharad
Copy link
Contributor

This is very reasonable, thank you. We'll work with our docs team and get this information added to the code scanning docs, so that existing users can reference it (and understand the rationale) along with new users who see the starter template.

@GregDomzalski
Copy link
Author

That would be fantastic. Thank you for the consideration!

@aeisenberg aeisenberg added documentation Improvements or additions to documentation CodeQL Action This repo! Helps for internal planning good first issue Good for newcomers labels Oct 18, 2023
@Lizelizethelff
Copy link

thank you

@aliscco aliscco mentioned this issue Dec 7, 2023
Open
@AJGranowski AJGranowski mentioned this issue Dec 30, 2023
Merged
@alishah62
Copy link

etd

@aeisenberg
Copy link
Contributor

aeisenberg commented Jan 9, 2024
edited

I have a change up to update the starter workflow with the comments in the permissions block suggested above. This doesn't solve the discoverability problem, but it's a little better than before. Maybe the best solution is to link to the starter workflow from the readme.

actions/starter-workflows#2275

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CodeQL Action This repo! Helps for internal planning documentation Improvements or additions to documentation good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aeisenberg @adityasharad @GregDomzalski @Lizelizethelff @alishah62