From b7de086111ce785ab7188246857cf884d0f20d3a Mon Sep 17 00:00:00 2001 From: Rifa Achrinza <25147899+achrinza@users.noreply.github.com> Date: Thu, 9 Nov 2023 16:50:19 +0800 Subject: [PATCH] ci: fix Scorecard issues see: https://github.com/loopbackio/strong-error-handler/security/code-scanning/7 see: https://github.com/loopbackio/strong-error-handler/security/code-scanning/6 see: https://github.com/loopbackio/strong-error-handler/security/code-scanning/5 see: https://github.com/loopbackio/security/issues/27 Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6c3d863..cddd7dc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: CodeQL on: push: @@ -9,20 +9,33 @@ on: schedule: - cron: '0 13 * * 6' +permissions: {} + jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + security-events: write + actions: read steps: + - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: - languages: 'javascript' - config-file: ./.github/codeql/codeql-config.yml + languages: javascript-typescript + config-file: .github/codeql/codeql-config.yml - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 +