From 456334aca094f37c522db6624de350cd1be49a30 Mon Sep 17 00:00:00 2001 From: Derek Anderson Date: Thu, 26 Jun 2025 20:28:56 -0500 Subject: [PATCH] Fix security scan and permissions issues in CI workflow - Update CodeQL Action from deprecated v2 to v3 - Add proper permissions for security-events:write - Add contents:write permission for version update job - Fix GitHub Security tab integration issues --- .github/workflows/ci-cd.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 46dfc54..208cd20 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -8,6 +8,11 @@ on: release: types: [ published ] +permissions: + contents: read + security-events: write + actions: read + jobs: test: name: Test on Node.js ${{ matrix.node-version }} and ${{ matrix.os }} @@ -196,6 +201,8 @@ jobs: runs-on: ubuntu-latest needs: [test, lint] if: github.ref == 'refs/heads/main' && github.event_name == 'push' + permissions: + contents: write steps: - name: Checkout code @@ -227,6 +234,10 @@ jobs: security: name: Security Scan runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - name: Checkout code @@ -241,7 +252,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif'