github
Document required workflow permissions (README regression)
Hello,
I've come across quite a few issues in the repo here that seem to boil down to people not knowing what permissions are needed for enabling CodeQL to work in their workflows. I believe for private repo they are:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
These were documented in an old version of the README, which was super helpful. This was removed by this commit.
The documentation the current README points to seems to focus around enabling CodeQL or Advanced Security for new repos or enabling it for the first time.
But we have several repos that have been around for some time. It doesn't seem right that we should disable/remove CodeQL only to re-enable it using the "defaults" listed above.
I've clicked through all of the links that the current README point to but none of them describe what permissions the code scanning features require. This information seems important to capture somewhere. As a security minded organization, we want to make sure we're only enabling the minimum set of permissions in a repo, and it would be helpful to understand also why a certain action requires a particular permission.
Could we please add a note on permissions on either the About code scanning with CodeQL page, or one that is easily found from that page?
Thanks!
This is very reasonable, thank you. We'll work with our docs team and get this information added to the code scanning docs, so that existing users can reference it (and understand the rationale) along with new users who see the starter template.
I have a change up to update the starter workflow with the comments in the permissions block suggested above. This doesn't solve the discoverability problem, but it's a little better than before. Maybe the best solution is to link to the starter workflow from the readme.
https://github.com/actions/starter-workflows/pull/2275
