From b9fbda1e7dcc2e8bc9899b02573484620eea0325 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 30 May 2022 14:11:28 +0200 Subject: [PATCH 1/3] Add actions read permission The CodeQL Action requires this permission to collect information of the workflow run. --- code-scanning/anchore.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 6f52d5d..5c19cc3 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,6 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # for github/codeql-action/upload-sarif to get Action run status runs-on: ubuntu-latest steps: - name: Checkout the code From 27f5b1e9fdf42fe0686ccb89a2926a08c5ca9abe Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 12:28:16 +0200 Subject: [PATCH 2/3] Add descriptive comment The `actions: read` permission is only required when the workflow is executed in a private repository. --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 5c19cc3..2753147 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # for github/codeql-action/upload-sarif to get Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository runs-on: ubuntu-latest steps: - name: Checkout the code From 477f6af84e7a702f1832787f81445d0c2bc33010 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Tue, 31 May 2022 14:19:53 +0200 Subject: [PATCH 3/3] Shorten the comment The comment is shortened by removing the URL to the documentation. Co-authored-by: Sampark Sharma --- code-scanning/anchore.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index 2753147..4fbc9f0 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -28,7 +28,7 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - name: Checkout the code