From 27949d40d3a3a2969ebf35f85314c88a6be6ce50 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Fri, 21 Jul 2023 15:13:35 -0600 Subject: [PATCH 1/3] Add read constraints on read-only jobs --- .github/workflows/fail-master-prs.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/run-tests.yml | 3 +++ .github/workflows/stale_issue.yml | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/fail-master-prs.yml b/.github/workflows/fail-master-prs.yml index 671b81edb0..e6ca087aab 100644 --- a/.github/workflows/fail-master-prs.yml +++ b/.github/workflows/fail-master-prs.yml @@ -4,6 +4,9 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: fail: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4779c4db2e..39bb3e9eea 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,6 +5,9 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-20.04 diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index ffb340d6ad..bdb63ca04b 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -5,6 +5,9 @@ on: pull_request: branches-ignore: [ master ] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index bc2be6eb26..256add8272 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 * * * *" +permissions: + contents: read + jobs: issue-cleanup: permissions: @@ -36,6 +39,7 @@ jobs: # Issue timing days-before-stale: 5 days-before-close: 2 + # If you don't want to mark a issue as being ancient based on a # threshold of "upvotes", you can set this here. An "upvote" is # the total number of +1, heart, hooray, and rocket reactions From d92d0c31da90ad00878182798688a1183e598c00 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Fri, 21 Jul 2023 15:13:49 -0600 Subject: [PATCH 2/3] Close stale issues once a day --- .github/workflows/stale_issue.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index 256add8272..c2d5bbdfb6 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -3,7 +3,7 @@ name: "Close stale issues" # Controls when the action will run. on: schedule: - - cron: "0 * * * *" + - cron: "0 0 * * *" permissions: contents: read From 90a090ef13eb207f8b11918ca6af3b095b849f01 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Fri, 21 Jul 2023 15:14:23 -0600 Subject: [PATCH 3/3] Add workflow for CodeQL --- .github/codeql.yml | 2 ++ .github/workflows/codeql.yml | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 .github/codeql.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/codeql.yml b/.github/codeql.yml new file mode 100644 index 0000000000..04e6bd81ba --- /dev/null +++ b/.github/codeql.yml @@ -0,0 +1,2 @@ +paths: +- "boto3/" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..ff97bc29b7 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,35 @@ +name: "CodeQL" + +on: + push: + branches: ["develop"] + pull_request: + branches: ["develop"] + schedule: + - cron: "0 0 * * 5" + +permissions: "read-all" + +jobs: + analyze: + name: "Analyze" + runs-on: "ubuntu-latest" + permissions: + actions: read + contents: read + security-events: write + steps: + - name: "Checkout repository" + uses: "actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3" + + - name: "Run CodeQL init" + uses: "github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a" + with: + config-file: "./.github/codeql.yml" + languages: "python" + + - name: "Run CodeQL autobuild" + uses: "github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a" + + - name: "Run CodeQL analyze" + uses: "github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a"