Set explicit contents: read permissions in CI workflow
#36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since no other permissions are currently needed in it. This avoids the ambiguous and sometimes greater than intended workflow permissions assigned if no `permissions` key is used. See: https://github.com/github/codeql/blob/main/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md This is similar in motivation to, though much simpler than: GitoxideLabs/gitoxide@f41a58c
Byron
approved these changes
Apr 17, 2025
|
Thanks, and no problem! Since GitoxideLabs/cargo-smart-release#48 (comment), I've enabled CodeQL in |
|
As |
EliahKagan
added a commit
to EliahKagan/algorithms-python
that referenced
this pull request
Apr 25, 2025
This resolves a CodeQL check and is also just a good idea. See GitoxideLabs/prodash#36.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This specifies
contents: readpermissions only forci.yml, since no other permissions are currently needed in it. In so doing, it avoids the ambiguous and sometimes greater than intended workflow permissions assigned if nopermissionskey is used.This is similar in motivation to, though much simpler than, GitoxideLabs/gitoxide@f41a58c (GitoxideLabs/gitoxide#1668).
Although I worked on the workflow in #34, I did not notice that this was missing at that time. But I enabled experimental CodeQL queries for GitHub Actions workflows in my fork, which conveniently found this.
Although CodeQL can be enabled by writing a workflow that runs it (an "advanced" setup), I suggest enabling the default setup, which requires no workflow file, in this repository's security settings. CodeQL doesn't yet have Rust queries, so this would only be for GitHub Actions, for which I think it should not be necessary to go beyond the default setup. (You may also want to enable it in
cargo-smart-release.)By the way, I've found that, at least as things stand now, for GitHub Actions queries, the default setup is in practice more versatile than advanced setups in one important way. Like advanced setups, the default setup allows configuring which suite of queries to run. Since, unlike advanced setups, the default setup requires no workflow file, this makes it easy for an upstream repository and its forks to run different suites, without diverging. For example, I enabled the default setup with the
defaultsuite in gitoxide about 10 days ago, while also running the default setup with thesecurity-extendedsuite in my fork, which includes queries that are more subjective in nature or that may carry more false positives.