diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bb76b9a..6f23bc9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,6 +11,8 @@ # name: "CodeQL Advanced" +permissions: {} # overwritten below + on: push: branches: [ "master" ] @@ -19,6 +21,10 @@ on: schedule: - cron: '31 8 * * 4' +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -29,15 +35,12 @@ jobs: # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read + security-events: write # codeql writes results + packages: read # codeql fetch private packs # only required for workflows in private repositories - actions: read - contents: read + # actions: read + # contents: read strategy: fail-fast: false @@ -57,7 +60,9 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -67,7 +72,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -84,7 +89,8 @@ jobs: # to build your code. # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' + - name: manual build + if: matrix.build-mode == 'manual' shell: bash run: | sudo apt-get install -y libselinux1-dev libbluetooth-dev gettext @@ -92,6 +98,6 @@ jobs: make all - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml index 99cc131..9e407ca 100644 --- a/.github/workflows/makefile.yml +++ b/.github/workflows/makefile.yml @@ -1,21 +1,31 @@ name: Compile net-tools +permissions: {} # overwritten below + on: push: branches: [ "master" ] pull_request: branches: [ "master" ] +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: build: - permissions: - contents: read - pull-requests: write + name: Compile with make + permissions: {} + # contents: read + # pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: install-dev run: sudo apt-get install libbluetooth-dev libselinux1-dev gettext