Skip to content

Add security-events: write permissions to CodeQL analysis workflows #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add security-events: write permissions to CodeQL analysis workflows #12

wants to merge 2 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Jul 10, 2025
edited
Loading

This PR ensures that CodeQL analysis workflows have the correct permissions configuration as required by GitHub security best practices.

Changes Made

Added security-events: write permission at the job level to both CodeQL analysis workflows:

  • auto-merge/contrib/.github/workflows/codeql-analysis.yml
  • auto-merge/js/.github/workflows/codeql-analysis.yml

Before

jobs:
  CodeQL-Build:
    runs-on: ubuntu-latest

    steps:
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

After

jobs:
  CodeQL-Build:
    runs-on: ubuntu-latest
    permissions:
      security-events: write

    steps:
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

Why This Change Is Needed

  • CodeQL analysis jobs that use github/codeql-action/analyze require security-events: write permission to upload security scanning results to GitHub's code scanning dashboard
  • Job-level permissions follow the principle of least privilege and are preferred over workflow-level permissions
  • This ensures compliance with GitHub's security scanning requirements and best practices

Both workflows now have the proper permissions to successfully upload their analysis results without permission errors.

Fixes #11.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot Copilot AI assigned Copilot and trask Jul 10, 2025
@Copilot Copilot AI changed the title [WIP] Ensure correct CodeQL workflow permissions Add security-events: write permissions to CodeQL analysis workflows Jul 10, 2025
@Copilot Copilot AI requested a review from trask July 10, 2025 00:47
Copilot finished work on behalf of trask July 10, 2025 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@trask trask Awaiting requested review from trask

Assignees

@trask trask

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Ensure correct CodeQL workflow permissions

2 participants

@Copilot @trask