Remove CodeQL scanner & move others to new weekly schedule#1109
Remove CodeQL scanner & move others to new weekly schedule#1109
Conversation
GitHub enhanced their CodeQL scanner and its configuration options since the time this was written, and it's now easier to simply use the repository settings for setting up CodeQL. No need to maintain our own workflow anymore. Also, the other scanners (OSV and Scorecard) are run on every PR, so there is not much value in running it nightly too. I moved them to a new weekly workflow because it's still worth running them regularly.
This slightly updates the workflow and gives the file a name that's hopefully more clear.
This updates the workflow to the latest version from our template repo.
This is currently the driver for the OSV and Scorecard workflows. In the future, we may add others.
mhucka
added
the
area/devops
pavoljuhas
left a comment
pavoljuhas
left a comment
There was a problem hiding this comment.
Please check the downgrades of actions in this PR.
Also, quite a few workflows run with write-all permissions.
Can we change that to something more restrictive?
For example, the OSV scanner example at https://google.github.io/osv-scanner/github-action/#scan-on-pull-request, grants write permission for security-events only.
The hash was for version v5, but the comment said it was for v4.
Some of the actions were out of date.
@pavoljuhas A fair point. I committed a change that restricts the permissions. It seems to work, although I remember having a lot of trouble finding working permissions and settled on write-all partly out of desperation. We will have to wait and see if this works once merged into the default branch. |
pavoljuhas
left a comment
pavoljuhas
left a comment
There was a problem hiding this comment.
LGTM with a couple of comment updates.
Thank you for taking care of permissions!
Co-authored-by: Pavol Juhas <pavol.juhas@gmail.com>
Co-authored-by: Pavol Juhas <pavol.juhas@gmail.com>
Co-authored-by: Pavol Juhas <pavol.juhas@gmail.com>
Co-authored-by: Pavol Juhas <pavol.juhas@gmail.com>
…b#1109) GitHub enhanced their CodeQL scanner and its configuration options since the time I originally wrote the custom workflow file here. It's now easier to simply use GitHub's repository options for setting up CodeQL. No need to maintain our own workflow anymore. Also, the other scanners (OSV and Scorecard) are run on every PR, so there is not much value in running also running them nightly. I moved them to a new weekly workflow because it's still worth running them regularly. Finally, this updates the workflows to the latest versions used in our template repo. --------- Co-authored-by: Pavol Juhas <pavol.juhas@gmail.com>
2 participants
GitHub enhanced their CodeQL scanner and its configuration options since the time I originally wrote the custom workflow file here. It's now easier to simply use GitHub's repository options for setting up CodeQL. No need to maintain our own workflow anymore.
Also, the other scanners (OSV and Scorecard) are run on every PR, so there is not much value in running also running them nightly. I moved them to a new weekly workflow because it's still worth running them regularly.
Finally, this updates the workflows to the latest versions used in our template repo.