From dc56e9d93c8e489254554fec6b2f327ac453a391 Mon Sep 17 00:00:00 2001 From: Mike Fairhurst Date: Mon, 8 Dec 2025 21:16:53 -0800 Subject: [PATCH 1/2] Add workflow permissions --- .github/workflows/code-scanning-pack-gen.yml | 2 ++ .github/workflows/codeql_unit_tests.yml | 2 ++ .github/workflows/dispatch-matrix-test-on-comment.yml | 4 ++++ .github/workflows/dispatch-release-performance-check.yml | 4 ++++ .github/workflows/extra-rule-validation.yml | 2 ++ .github/workflows/finalize-release.yml | 5 +++++ .github/workflows/generate-html-docs.yml | 2 ++ .github/workflows/standard_library_upgrade_tests.yml | 2 ++ .github/workflows/tooling-unit-tests.yml | 2 ++ .github/workflows/update-check-run.yml | 2 ++ .github/workflows/update-release.yml | 4 ++++ .github/workflows/upgrade_codeql_dependencies.yml | 3 +++ .github/workflows/validate-package-files.yml | 2 ++ .github/workflows/validate-query-formatting.yml | 2 ++ .github/workflows/validate-query-help.yml | 2 ++ .github/workflows/validate-query-test-case-formatting.yml | 2 ++ .github/workflows/validate-release.yml | 5 +++++ .github/workflows/verify-standard-library-dependencies.yml | 2 ++ 18 files changed, 49 insertions(+) diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml index dde0a1a3f6..3cd501930c 100644 --- a/.github/workflows/code-scanning-pack-gen.yml +++ b/.github/workflows/code-scanning-pack-gen.yml @@ -1,4 +1,6 @@ name: Code Scanning Query Pack Generation +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml index 0f9aadb8b3..c9a557c762 100644 --- a/.github/workflows/codeql_unit_tests.yml +++ b/.github/workflows/codeql_unit_tests.yml @@ -1,4 +1,6 @@ name: CodeQL Unit Testing +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml index 4990694512..d6520c8e86 100644 --- a/.github/workflows/dispatch-matrix-test-on-comment.yml +++ b/.github/workflows/dispatch-matrix-test-on-comment.yml @@ -1,4 +1,8 @@ name: 🤖 Run Matrix Check (On Comment) +permissions: + contents: read + actions: write + pull-requests: write on: issue_comment: diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml index 25e293fa6a..84ffa36174 100644 --- a/.github/workflows/dispatch-release-performance-check.yml +++ b/.github/workflows/dispatch-release-performance-check.yml @@ -1,4 +1,8 @@ name: 🏁 Run Release Performance Check +permissions: + contents: read + actions: write + pull-requests: write on: issue_comment: diff --git a/.github/workflows/extra-rule-validation.yml b/.github/workflows/extra-rule-validation.yml index 7fef7818aa..6a49e9d268 100644 --- a/.github/workflows/extra-rule-validation.yml +++ b/.github/workflows/extra-rule-validation.yml @@ -1,4 +1,6 @@ name: ⚙️ Extra Rule Validation +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/finalize-release.yml b/.github/workflows/finalize-release.yml index c6ebc8f3dc..33e5518a39 100644 --- a/.github/workflows/finalize-release.yml +++ b/.github/workflows/finalize-release.yml @@ -1,4 +1,9 @@ name: Finalize Release +permissions: + contents: write + pull-requests: write + actions: write + on: pull_request: types: diff --git a/.github/workflows/generate-html-docs.yml b/.github/workflows/generate-html-docs.yml index a28bfd7905..c524ad0b87 100644 --- a/.github/workflows/generate-html-docs.yml +++ b/.github/workflows/generate-html-docs.yml @@ -1,4 +1,6 @@ name: Generate HTML documentation +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/standard_library_upgrade_tests.yml b/.github/workflows/standard_library_upgrade_tests.yml index 277082d3a5..2ca1e2d1f6 100644 --- a/.github/workflows/standard_library_upgrade_tests.yml +++ b/.github/workflows/standard_library_upgrade_tests.yml @@ -1,4 +1,6 @@ name: CodeQL Standard Library Upgrade tests +permission: + contents: read # Run this workflow every time the "supported_codeql_configs.json" file is changed on: diff --git a/.github/workflows/tooling-unit-tests.yml b/.github/workflows/tooling-unit-tests.yml index 00a36d5c6a..bcb754d68e 100644 --- a/.github/workflows/tooling-unit-tests.yml +++ b/.github/workflows/tooling-unit-tests.yml @@ -1,4 +1,6 @@ name: 🧰 Tooling unit tests +permissions: + contents: read on: merge_group: diff --git a/.github/workflows/update-check-run.yml b/.github/workflows/update-check-run.yml index 225c81fa24..49228c3f62 100644 --- a/.github/workflows/update-check-run.yml +++ b/.github/workflows/update-check-run.yml @@ -1,4 +1,6 @@ name: Update check run +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/update-release.yml b/.github/workflows/update-release.yml index 6baf99279b..b34abe191a 100644 --- a/.github/workflows/update-release.yml +++ b/.github/workflows/update-release.yml @@ -1,4 +1,8 @@ name: Update Release +permissions: + contents: write + pull-requests: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/upgrade_codeql_dependencies.yml b/.github/workflows/upgrade_codeql_dependencies.yml index de187e0e95..8ae3555e8b 100644 --- a/.github/workflows/upgrade_codeql_dependencies.yml +++ b/.github/workflows/upgrade_codeql_dependencies.yml @@ -1,4 +1,7 @@ name: Upgrade supported CodeQL configuration +permissions: + contents: write + pull-requests: write on: workflow_dispatch: diff --git a/.github/workflows/validate-package-files.yml b/.github/workflows/validate-package-files.yml index 4e0a51a3b5..81d9a16f3e 100644 --- a/.github/workflows/validate-package-files.yml +++ b/.github/workflows/validate-package-files.yml @@ -1,4 +1,6 @@ name: Validate Package Files +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-query-formatting.yml b/.github/workflows/validate-query-formatting.yml index ed78505298..a9eee4844b 100644 --- a/.github/workflows/validate-query-formatting.yml +++ b/.github/workflows/validate-query-formatting.yml @@ -1,4 +1,6 @@ name: "Validate Query Formatting" +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-query-help.yml b/.github/workflows/validate-query-help.yml index 3ce97d8e9f..e16d6efa1b 100644 --- a/.github/workflows/validate-query-help.yml +++ b/.github/workflows/validate-query-help.yml @@ -1,4 +1,6 @@ name: Validate Query Help Files +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-query-test-case-formatting.yml b/.github/workflows/validate-query-test-case-formatting.yml index 1777cacdd9..e466a1aedf 100644 --- a/.github/workflows/validate-query-test-case-formatting.yml +++ b/.github/workflows/validate-query-test-case-formatting.yml @@ -1,4 +1,6 @@ name: Validate Query Test Case Formatting +permissions: + contents: read on: merge_group: types: [checks_requested] diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index cd7d27f6fa..331272c1c2 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -1,4 +1,9 @@ name: Validate release +permissions: + contents: read + actions: write + checks: write + pull-requests: write on: pull_request: diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml index 4900f11172..ee7df317c1 100644 --- a/.github/workflows/verify-standard-library-dependencies.yml +++ b/.github/workflows/verify-standard-library-dependencies.yml @@ -1,4 +1,6 @@ name: Verify Standard Library Dependencies +permissions: + contents: read # Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed on: From 0543c54489cfb3315acaef63fdae15af9cb68018 Mon Sep 17 00:00:00 2001 From: Mike Fairhurst Date: Tue, 9 Dec 2025 00:05:16 -0800 Subject: [PATCH 2/2] Fix typo, redundant permissions, and trailing whitespace --- .github/workflows/finalize-release.yml | 2 +- .github/workflows/standard_library_upgrade_tests.yml | 2 +- .github/workflows/validate-release.yml | 5 ----- 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/finalize-release.yml b/.github/workflows/finalize-release.yml index 33e5518a39..48e5fe6a10 100644 --- a/.github/workflows/finalize-release.yml +++ b/.github/workflows/finalize-release.yml @@ -1,5 +1,5 @@ name: Finalize Release -permissions: +permissions: contents: write pull-requests: write actions: write diff --git a/.github/workflows/standard_library_upgrade_tests.yml b/.github/workflows/standard_library_upgrade_tests.yml index 2ca1e2d1f6..1ec72be8ac 100644 --- a/.github/workflows/standard_library_upgrade_tests.yml +++ b/.github/workflows/standard_library_upgrade_tests.yml @@ -1,5 +1,5 @@ name: CodeQL Standard Library Upgrade tests -permission: +permissions: contents: read # Run this workflow every time the "supported_codeql_configs.json" file is changed diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 331272c1c2..cd7d27f6fa 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -1,9 +1,4 @@ name: Validate release -permissions: - contents: read - actions: write - checks: write - pull-requests: write on: pull_request: