ci: ignore tests in CodeQL scan and add missing permission restrictio…

…ns (#253) ignore tests in CodeQL scan and add missing permission restrictions Signed-off-by: gruebel <[email protected]>
open-feature · Jan 6, 2024 · 49aae78 · 49aae78
1 parent 3b6204d
commit 49aae78
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 1 deletion.
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,4 @@
+name: "CodeQL config"
+
+paths-ignore:
+  - tests
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,6 +13,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -64,6 +67,7 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: python
+          config-file: ./.github/codeql-config.yml
 
       - name: Install dependencies
         run: pip install -r requirements.txt

diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -12,11 +12,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}