From f4e715f4281f75e211e1f43df778cc07d5f18a36 Mon Sep 17 00:00:00 2001 From: Panagiotis Siatras Date: Wed, 20 May 2026 15:54:20 +0300 Subject: [PATCH] gh: granted actions: read through the codeql call chain --- .github/workflows/codeql-analysis.yml | 1 + .github/workflows/goCI.yml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 01f1e8a..0073652 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,6 +33,7 @@ on: permissions: contents: read + actions: read security-events: write jobs: diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml index d9949fc..1b92103 100644 --- a/.github/workflows/goCI.yml +++ b/.github/workflows/goCI.yml @@ -160,8 +160,8 @@ jobs: PAT: ${{ secrets.PAT }} # NOTE(@azazeal): callers that set run-codeql: true must also grant - # security-events: write to the job that calls goCI.yml. Reusable workflows - # cannot be granted more than the caller has. + # actions: read and security-events: write to the job that calls goCI.yml. + # Reusable workflows cannot be granted more than the caller has. # # ref: https://docs.github.com/en/actions/reference/reusable-workflows-reference codeql: @@ -176,6 +176,7 @@ jobs: build-mode: ${{ inputs.codeql-build-mode }} permissions: contents: read + actions: read security-events: write secrets: SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}