Fix security scan and permissions issues in CI workflow

- Update CodeQL Action from deprecated v2 to v3 - Add proper permissions for security-events:write - Add contents:write permission for version update job - Fix GitHub Security tab integration issues
2025-06-26 20:28:56 -05:00 · 2025-06-26 20:28:56 -05:00 · 456334aca0
commit 456334aca0
parent 4166778a33
1 changed files with 12 additions and 1 deletions
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@ -8,6 +8,11 @@ on:
  release:
    types: [ published ]

+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
 jobs:
  test:
    name: Test on Node.js ${{ matrix.node-version }} and ${{ matrix.os }}
@ -196,6 +201,8 @@ jobs:
    runs-on: ubuntu-latest
    needs: [test, lint]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    permissions:
+      contents: write

    steps:
    - name: Checkout code
@ -227,6 +234,10 @@ jobs:
  security:
    name: Security Scan
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
    
    steps:
    - name: Checkout code
@ -241,7 +252,7 @@ jobs:
        output: 'trivy-results.sarif'

    - name: Upload Trivy scan results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'