Have CodeQL scan GitHub Actions workflows as well as Python code by EliahKagan · Pull Request #2032 · gitpython-developers/GitPython
added 4 commits
May 30, 2025 14:37
So GitHub can regenerate a fresh new one based on current defaults.
This adds CodeQL scanning of GitHub Actions, while continuing to scan Python as well. This will subsequently be customized slightly to restore some elements of the preivous custom workflow that we may prefer.
This restores three aspects of the previous `codeql.yml`: - Run it on all branches, not just `main`. - Run it on the previous schedule rather than the new one, since there's no reason to change the schedule (though there's no reason to be attached to the old schedule either). - Use "CodeQL" rather than "CodeQL Advanced" as the workflow `name`, since this takes up less horizontal space when reading the reports from the checks. Of these, only the first is really significant.
This is another change back to the way we had it before, but the removals are based specifically on the guidance in the default workflow comments about why each permission was given by default.
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request
May 30, 2025
Three CI workflows that need only `contents: read` permissions and no other permissions did not have explicit permissions set, and would therefore be given permissions configured for the repository. It is recommended to set explicit workflow permissions. This does so, bringing those workflows inline with `pythonpackage.yml` (which had this), and closing three `actions/missing-workflow-permissions` CodeQL alerts (new since gitpython-developers#2032 enabled scanning of GHA workflows). See also: https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/
EliahKagan added a commit to EliahKagan/GitPython that referenced this pull request
May 30, 2025
Three CI workflows that need only `contents: read` permissions and no other permissions did not have explicit permissions set, and would therefore be given default permissions configured for the repository, which might be more expansive than the workflows need. It is recommended to set explicit workflow permissions [1]. This does that, specifying permissions as `pythonpackage.yml` already did, and closing three `actions/missing-workflow-permissions` CodeQL alerts (new since gitpython-developers#2032 enabled scanning of GHA workflows). [1]: https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters