add actions: read to any job using upload-sarif

code-scanning/apisec-scan.yml

@@ -49,6 +49,7 @@ jobs:
   Trigger APIsec scan:
     permissions:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
 
     steps:

code-scanning/brakeman.yml

@@ -25,6 +25,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     name: Brakeman Scan
     runs-on: ubuntu-latest
     steps:

code-scanning/checkmarx.yml

@@ -29,6 +29,7 @@ jobs:
       issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
       pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
 
     # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)

code-scanning/clj-holmes.yml

@@ -24,6 +24,7 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

code-scanning/clj-watson.yml

@@ -29,6 +29,7 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

code-scanning/codacy.yml

@@ -30,6 +30,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     name: Codacy Security Scan
     runs-on: ubuntu-latest
     steps:

code-scanning/codescan.yml

@@ -25,6 +25,7 @@ jobs:
         permissions:
           contents: read # for actions/checkout to fetch code
           security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+          actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
         runs-on: ubuntu-latest
         steps:
             -   name: Checkout repository

code-scanning/contrast-scan.yml

@@ -30,6 +30,7 @@ jobs:
     permissions:
         contents: read # for actions/checkout
         security-events: write # for github/codeql-action/upload-sarif
+        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     # check out project
     steps:

code-scanning/eslint.yml

@@ -25,6 +25,7 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

code-scanning/hadolint.yml

@@ -27,7 +27,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     steps:
       - name: Checkout code
         uses: actions/checkout@v3

code-scanning/lintr.yml

@@ -29,6 +29,7 @@ jobs:
     permissions:
       contents: read # for checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
 
     steps:
       - name: Checkout code

code-scanning/mobsf.yml

@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
 
     steps:

code-scanning/msvc.yml

@@ -28,6 +28,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     name: Analyze
     runs-on: windows-latest
 

code-scanning/njsscan.yml

@@ -25,6 +25,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     name: njsscan code scanning
     steps:

code-scanning/ossar.yml

@@ -27,6 +27,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: windows-latest
 
     steps:

code-scanning/phpmd.yml

@@ -34,6 +34,7 @@ jobs:
     permissions:
       contents: read # for checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
 
     steps:
       - name: Checkout code

code-scanning/pmd.yml

@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

code-scanning/powershell.yml

@@ -25,6 +25,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     name: PSScriptAnalyzer
     runs-on: ubuntu-latest
     steps:

code-scanning/prisma.yml

@@ -29,6 +29,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     name: Run Prisma Cloud IaC Scan to check
     steps:

code-scanning/puppet-lint.yml

@@ -29,6 +29,7 @@ jobs:
     permissions:
       contents: read # for checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
 
     steps:
       - name: Checkout code

code-scanning/rust-clippy.yml

@@ -25,6 +25,7 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

code-scanning/semgrep.yml

@@ -27,6 +27,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     name: Scan
     runs-on: ubuntu-latest
     steps:

code-scanning/snyk-container.yml

@@ -30,6 +30,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3

code-scanning/snyk-infrastructure.yml

@@ -29,6 +29,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

code-scanning/sobelow.yml

@@ -28,6 +28,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
 
     steps:

code-scanning/sysdig-scan.yml

@@ -24,6 +24,7 @@ jobs:
       checks: write # for sysdiglabs/scan-action to publish the checks
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
 
     steps:

code-scanning/trivy.yml

@@ -22,6 +22,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     name: Build
     runs-on: "ubuntu-18.04"
     steps:

code-scanning/veracode.yml

@@ -27,6 +27,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
     steps:
 

code-scanning/xanitizer.yml

@@ -51,6 +51,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
     runs-on: ubuntu-latest
 
     steps: