diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 92f5e24b3c..0b32bc20e8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,34 +31,29 @@ jobs: permissions: contents: read + # We currently need `security-events: read` to access feature flags. + security-events: read steps: - uses: actions/checkout@v6 - - name: Init with default CodeQL bundle from the VM image - id: init-default - uses: ./init - with: - languages: javascript - - name: Remove empty database - # allows us to run init a second time - run: | - rm -rf "$RUNNER_TEMP/codeql_databases" - - name: Init with latest CodeQL bundle - id: init-latest - uses: ./init + - name: Set up default CodeQL bundle + id: setup-default + uses: ./setup-codeql + - name: Set up linked CodeQL bundle + id: setup-linked + uses: ./setup-codeql with: tools: linked - languages: javascript - - name: Compare default and latest CodeQL bundle versions + - name: Compare default and linked CodeQL bundle versions id: compare env: - CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }} - CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }} + CODEQL_DEFAULT: ${{ steps.setup-default.outputs.codeql-path }} + CODEQL_LINKED: ${{ steps.setup-linked.outputs.codeql-path }} run: | CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)" - CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)" + CODEQL_VERSION_LINKED="$("$CODEQL_LINKED" version --format terse)" echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT" - echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST" + echo "Linked CodeQL bundle version is $CODEQL_VERSION_LINKED" # If we're running on a pull request, run with both bundles, even if `tools: linked` would # be the same as `tools: null`. This allows us to make the job for each of the bundles a @@ -66,7 +61,7 @@ jobs: # # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be # the same as running with `tools: null`. - if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then + if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$GITHUB_EVENT_NAME" != "merge_group" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LINKED" ]]; then VERSIONS_JSON='[null]' else VERSIONS_JSON='[null, "linked"]' diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml index 4d04335353..6c456ea889 100644 --- a/.github/workflows/debug-artifacts-failure-safe.yml +++ b/.github/workflows/debug-artifacts-failure-safe.yml @@ -41,6 +41,8 @@ jobs: CODEQL_ACTION_TEST_MODE: true permissions: contents: read + # We currently need `security-events: read` to access feature flags. + security-events: read timeout-minutes: 45 runs-on: ubuntu-latest steps: diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml index 7886d44c71..7c1d8da64b 100644 --- a/.github/workflows/debug-artifacts-safe.yml +++ b/.github/workflows/debug-artifacts-safe.yml @@ -40,6 +40,8 @@ jobs: timeout-minutes: 45 permissions: contents: read + # We currently need `security-events: read` to access feature flags. + security-events: read runs-on: ubuntu-latest steps: - name: Check out repository diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml index 79602d056a..880ecd5788 100644 --- a/.github/workflows/python312-windows.yml +++ b/.github/workflows/python312-windows.yml @@ -26,6 +26,8 @@ jobs: timeout-minutes: 45 permissions: contents: read + # We currently need `security-events: read` to access feature flags. + security-events: read runs-on: windows-latest steps: