Skip to content

Tighten workflow permissions, dependabot config, and add CodeQL#663

Draft
wagoodman wants to merge 1 commit into
mainfrom
remediate-audit
Draft

Tighten workflow permissions, dependabot config, and add CodeQL#663
wagoodman wants to merge 1 commit into
mainfrom
remediate-audit

Conversation

@wagoodman

@wagoodman wagoodman commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Brings several workflow hygiene items into compliance: restricts top-level permissions, tightens trigger scope, updates dependabot schedule, and adds a CodeQL scan.

Changes:

  • set workflow-level permissions: {} in release-drafter.yml and validate-github-actions.yaml; per-job blocks already carry what each job needs
  • restrict tag-release.yml to fire on tag-push (v*) only, so contents: write is not active on arbitrary release events
  • switch dependabot github-actions and npm schedules from daily to weekly; add /.github/actions/* to the github-actions directories
  • add codeql.yaml with javascript-typescript and actions matrix, pinned SHAs, weekly schedule

@wagoodman
Tighten workflow permissions, dependabot config, and add CodeQL
38e9835 
- set workflow-level permissions to {} in release-drafter.yml and
  validate-github-actions.yaml; per-job blocks already carry what each
  job needs
- restrict tag-release.yml trigger to tag-push (v*) instead of release
  events so contents:write is only active on actual tag pushes
- change dependabot github-actions and npm schedule from daily to weekly;
  add /.github/actions/* directory to github-actions ecosystem
- add codeql.yaml with javascript-typescript and actions matrix

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman added the changelog-ignore do not add a entry for this when generating the changelog label May 8, 2026
@github-advanced-security

github-advanced-security AI commented May 8, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@wagoodman wagoodman marked this pull request as draft May 8, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

changelog-ignore do not add a entry for this when generating the changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wagoodman @github-advanced-security