From 14c49b63ddcee877c988f2e3c9137f64e96a4c23 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Sun, 2 Feb 2025 10:54:23 +0100 Subject: [PATCH 1/3] chore: enable codeql for actons --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1699e1e0bb..a26f0097ce 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,7 +22,7 @@ jobs: fail-fast: false matrix: include: - - language: javascript-typescript + - language: ['javascript-typescript', 'actions'] build-mode: none steps: - name: Checkout repository From 67cb663d479cb5a197f8da004c00f8abbadfb9cd Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Sun, 2 Feb 2025 11:04:14 +0100 Subject: [PATCH 2/3] chore: enable codeql for actons --- .github/workflows/codeql.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a26f0097ce..c5ec742364 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,21 +21,20 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: ['javascript-typescript', 'actions'] - build-mode: none + language: ['javascript-typescript', 'actions'] + steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: category: "/language:${{matrix.language}}" From a43b9c76e7684ec159da24ef873fc4dc1a502784 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Sun, 2 Feb 2025 11:18:38 +0100 Subject: [PATCH 3/3] chore: address codeql security warning --- .github/workflows/lambda.yml | 3 +++ .github/workflows/packer-build.yml | 4 ++++ .github/workflows/terraform.yml | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml index 338653effc..8849d9c5c0 100644 --- a/.github/workflows/lambda.yml +++ b/.github/workflows/lambda.yml @@ -8,6 +8,9 @@ on: - 'lambdas/**' - '.github/workflows/lambda.yml' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml index 4251f892ff..98a3ec99f6 100644 --- a/.github/workflows/packer-build.yml +++ b/.github/workflows/packer-build.yml @@ -8,9 +8,13 @@ on: - "images/**" - ".github/workflows/packer-build.yml" - "module/runners/templates/**" +permissions: + contents: read + env: AWS_REGION: eu-west-1 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + jobs: verify_packer: name: Verify packer diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 8a0c1eb746..21a90168b1 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -113,7 +113,7 @@ jobs: key: tflint-${{ hashFiles('.tflint.hcl') }} - if: contains(matrix.terraform, '1.3.') name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 + uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} - if: contains(matrix.terraform, '1.3.') @@ -168,7 +168,7 @@ jobs: key: tflint-${{ hashFiles('.tflint.hcl') }} - if: contains(matrix.terraform, '1.5.') name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 + uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} - if: contains(matrix.terraform, '1.5.')