diff --git a/actions/ql/lib/ext/config/actions_permissions.yml b/actions/ql/lib/ext/config/actions_permissions.yml index 6e0081973de6..3476d63630bf 100644 --- a/actions/ql/lib/ext/config/actions_permissions.yml +++ b/actions/ql/lib/ext/config/actions_permissions.yml @@ -13,7 +13,10 @@ extensions: - ["actions/labeler", "pull-requests: write"] - ["actions/attest", "id-token: write"] - ["actions/attest", "attestations: write"] - # No permissions needed for actions/add-to-project + - ["actions/add-to-project", "repository-projects:read"] + - ["actions/add-to-project", "repository-projects:write"] + - ["actions/add-to-project", "issues:read"] + - ["actions/add-to-project", "pull-requests:read"] - ["actions/dependency-review-action", "contents: read"] - ["actions/attest-sbom", "id-token: write"] - ["actions/attest-sbom", "attestations: write"] @@ -30,8 +33,8 @@ extensions: - ["actions/versions-package-tools", "actions: read"] - ["actions/reusable-workflows", "contents: read"] - ["actions/reusable-workflows", "actions: read"] - # TODO: Add permissions for actions/download-artifact - # TODO: Add permissions for actions/upload-artifact - # TODO: Add permissions for actions/cache + # No permissions needed for actions/download-artifact + # No permissions needed for actions/upload-artifact + # No permissions needed for actions/cache diff --git a/actions/ql/src/change-notes/2025-04-24-minimal-permission-for-add-to-project.md b/actions/ql/src/change-notes/2025-04-24-minimal-permission-for-add-to-project.md new file mode 100644 index 000000000000..5e7757077c2a --- /dev/null +++ b/actions/ql/src/change-notes/2025-04-24-minimal-permission-for-add-to-project.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the action `add-to-project`. This should lead to better alert messages and better fix suggestions. \ No newline at end of file diff --git a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected index 1a3c36c78ca1..19ebeccdc728 100644 --- a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected +++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -2,4 +2,4 @@ | .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} | | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} | | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} | -| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} | +| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {issues:read, pull-requests:read, repository-projects:read, repository-projects:write} |