From cba1292debfebc0ddd8f5f6078d8e15a7b22ce54 Mon Sep 17 00:00:00 2001 From: saan800 Date: Tue, 2 Jun 2026 20:38:09 +0800 Subject: [PATCH 1/2] fix: don't call codeql in pr workflows --- .github/workflows/_scan-codeql.yml | 7 +++++++ .github/workflows/dotnet-package-pr.yml | 12 ------------ .github/workflows/dotnet-package-release.yml | 12 ------------ .github/workflows/dotnet-pr.yml | 12 ------------ 4 files changed, 7 insertions(+), 36 deletions(-) diff --git a/.github/workflows/_scan-codeql.yml b/.github/workflows/_scan-codeql.yml index ab406ef..b056839 100644 --- a/.github/workflows/_scan-codeql.yml +++ b/.github/workflows/_scan-codeql.yml @@ -29,6 +29,7 @@ on: permissions: actions: read contents: read + packages: read security-events: write jobs: @@ -42,8 +43,14 @@ jobs: runs-on: ${{ inputs.os }} timeout-minutes: ${{ inputs.timeout-minutes }} permissions: + # only required for workflows in private repositories actions: read contents: read + + # required to fetch internal or private CodeQL packs + packages: read + + # required for all workflows security-events: write strategy: diff --git a/.github/workflows/dotnet-package-pr.yml b/.github/workflows/dotnet-package-pr.yml index 3a2a34e..6d80a5c 100644 --- a/.github/workflows/dotnet-package-pr.yml +++ b/.github/workflows/dotnet-package-pr.yml @@ -109,15 +109,3 @@ jobs: uses: ./.github/workflows/_dependency-review.yml with: harden-runner-policy: ${{ inputs.harden-runner-policy }} - - scan-codeql: - permissions: - actions: read - contents: read - security-events: write - uses: ./.github/workflows/_scan-codeql.yml - with: - harden-runner-policy: ${{ inputs.harden-runner-policy }} - os: ${{ inputs.os }} - dotnet-version: ${{ inputs.dotnet-version }} - language: csharp diff --git a/.github/workflows/dotnet-package-release.yml b/.github/workflows/dotnet-package-release.yml index c0b41d4..a386456 100644 --- a/.github/workflows/dotnet-package-release.yml +++ b/.github/workflows/dotnet-package-release.yml @@ -84,15 +84,3 @@ jobs: is-release-branch: ${{ inputs.is-release-branch }} force-release: ${{ inputs.force-release }} secrets: inherit - - scan-codeql: - permissions: - actions: read - contents: read - security-events: write - uses: ./.github/workflows/_scan-codeql.yml - with: - harden-runner-policy: ${{ inputs.harden-runner-policy }} - os: ${{ inputs.os }} - dotnet-version: ${{ inputs.dotnet-version }} - language: csharp diff --git a/.github/workflows/dotnet-pr.yml b/.github/workflows/dotnet-pr.yml index 6131a21..023364e 100644 --- a/.github/workflows/dotnet-pr.yml +++ b/.github/workflows/dotnet-pr.yml @@ -100,15 +100,3 @@ jobs: uses: ./.github/workflows/_dependency-review.yml with: harden-runner-policy: ${{ inputs.harden-runner-policy }} - - scan-codeql: - permissions: - actions: read - contents: read - security-events: write - uses: ./.github/workflows/_scan-codeql.yml - with: - harden-runner-policy: ${{ inputs.harden-runner-policy }} - os: ${{ inputs.os }} - dotnet-version: ${{ inputs.dotnet-version }} - language: csharp From 1e64c13e3d51eab4070b4f891e14392c556a601c Mon Sep 17 00:00:00 2001 From: saan800 Date: Tue, 2 Jun 2026 20:51:19 +0800 Subject: [PATCH 2/2] fix: don't call codeql in pr workflows --- .github/workflows/dotnet-package-pr.yml | 2 -- .github/workflows/dotnet-package-release.yml | 2 -- .github/workflows/dotnet-pr.yml | 2 -- 3 files changed, 6 deletions(-) diff --git a/.github/workflows/dotnet-package-pr.yml b/.github/workflows/dotnet-package-pr.yml index 6d80a5c..7eb2216 100644 --- a/.github/workflows/dotnet-package-pr.yml +++ b/.github/workflows/dotnet-package-pr.yml @@ -58,11 +58,9 @@ on: required: false permissions: - actions: read contents: write packages: write pull-requests: write - security-events: write jobs: ci-cd: diff --git a/.github/workflows/dotnet-package-release.yml b/.github/workflows/dotnet-package-release.yml index a386456..57fab11 100644 --- a/.github/workflows/dotnet-package-release.yml +++ b/.github/workflows/dotnet-package-release.yml @@ -59,11 +59,9 @@ on: required: false permissions: - actions: read contents: write packages: write pull-requests: read - security-events: write jobs: ci-cd: diff --git a/.github/workflows/dotnet-pr.yml b/.github/workflows/dotnet-pr.yml index 023364e..377832c 100644 --- a/.github/workflows/dotnet-pr.yml +++ b/.github/workflows/dotnet-pr.yml @@ -58,10 +58,8 @@ on: required: false permissions: - actions: read contents: read pull-requests: write - security-events: write jobs: ci-cd: