From 03501ad73c24611924e8249f875e85da76605f01 Mon Sep 17 00:00:00 2001 From: bcaller Date: Tue, 12 Sep 2023 13:52:25 +0100 Subject: [PATCH] Contents:read is required to clone private repos It was quite surprising that it was working with contents:none. But it was only working in security-action because it's public!! Private repos need more permissions in the GITHUB_TOKEN. --- .github/workflows/full-loop.yml | 3 +-- .github/workflows/loop.yml | 1 + .github/workflows/semgrep-self-test.yml | 2 +- assets/org.yml | 3 ++- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/full-loop.yml b/.github/workflows/full-loop.yml index 12a56943..78d2c582 100644 --- a/.github/workflows/full-loop.yml +++ b/.github/workflows/full-loop.yml @@ -7,8 +7,7 @@ on: types: [opened, synchronize, reopened, ready_for_review] branches: [main] permissions: - # Clear all permissions as none are required just to clone repo - contents: none + contents: read jobs: full-loop: name: full-loop diff --git a/.github/workflows/loop.yml b/.github/workflows/loop.yml index bde54967..2c70f5c0 100644 --- a/.github/workflows/loop.yml +++ b/.github/workflows/loop.yml @@ -7,6 +7,7 @@ on: types: [opened, synchronize, reopened, ready_for_review] branches: [main] permissions: + contents: read pull-requests: write jobs: loop: diff --git a/.github/workflows/semgrep-self-test.yml b/.github/workflows/semgrep-self-test.yml index e0d286d4..76a713bd 100644 --- a/.github/workflows/semgrep-self-test.yml +++ b/.github/workflows/semgrep-self-test.yml @@ -7,7 +7,7 @@ on: types: [opened, synchronize, reopened, ready_for_review] branches: [main] permissions: - # Clear all permissions as none are required just to clone repo + # This is a public repo, no permissions required to clone contents: none jobs: semgrep-self-test: diff --git a/assets/org.yml b/assets/org.yml index 0511dbb8..d9a6cafd 100644 --- a/assets/org.yml +++ b/assets/org.yml @@ -7,6 +7,7 @@ on: types: [opened, synchronize, reopened, ready_for_review] branches: [main, master, staging, development, devel, dev] permissions: + contents: read pull-requests: write jobs: security: @@ -15,7 +16,7 @@ jobs: strategy: fail-fast: false steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: brave/security-action@main