ignore tests in CodeQL scan and add missing permission restrictions

gruebel · gruebel · commit bf55d97072a8 · 2024-01-06T12:18:39.000+01:00
Signed-off-by: gruebel &lt;anton.gruebel@gmail.com&gt;
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -0,0 +1,4 @@
+name: "CodeQL config"
+
+paths-ignore:
+  - tests
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,6 +13,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -64,6 +67,7 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: python
+          config-file: ./.github/codeql-config.yml
 
       - name: Install dependencies
         run: pip install -r requirements.txt
diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -12,11 +12,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   main:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +name: "CodeQL config"
++
 +paths-ignore:
 +  - tests