codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

Favor `GITHUB_WORKFLOW_REF` over using `actions: read` to calculate the workflow path

Open jsoref opened this issue 1 year ago • 2 comments

Introduced with GHES 3.9: https://docs.github.com/en/[email protected]/actions/learn-github-actions/variables

GITHUB_WORKFLOW_REF means that actions don't need to use actions: read to determine the path to the running workflow.

This should address the problem in #2117 as long as the user is running on GHES 3.9+ (including GHEC).

It doesn't precisely fix the issue because someone running on GHES 3.8 will still need to add actions: read until #2121 makes that code path non fatal.

Note that these aren't mutually exclusive PRs (although as they both impact the changelog, they will conflict there...) -- both changes should be applied -- this simplifies the general logic for the average user (and once GHES 3.8 is sunset, the other code path should be removed entirely).

Merge / deployment checklist

  • [x] Confirm this change is backwards compatible with existing workflows.
  • [x] Confirm the readme has been updated if necessary.
  • [x] Confirm the changelog has been updated if necessary.

jsoref avatar Feb 09 '24 04:02 jsoref

I can confirm that this fixes my issue from #2117 without the need to declare actions: read permission:

diff --git a/.github/workflows/local-cd.yml b/.github/workflows/local-cd.yml
index c6bf452..ee11bac 100644
--- a/.github/workflows/local-cd.yml
+++ b/.github/workflows/local-cd.yml
@@ -236,7 +236,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-and-publish
     permissions:
-      actions: read
       contents: read
       packages: read
       pull-requests: write
@@ -282,7 +281,8 @@ jobs:
         id: upload-sarif
         continue-on-error: true
         if: hashFiles('sarif.output.json') != '' && github.event_name != 'pull_request_target'
-        uses: github/codeql-action/upload-sarif@main
+        uses: jsoref/github-codeql-action/upload-sarif@favor-workflow-ref
         with:
           sarif_file: sarif.output.json

SPodjasek avatar Feb 09 '24 10:02 SPodjasek

@angelapwen: um, if someone gave me a workflow, I'm open to running it.

I haven't managed to get reusable workflows to do anything particularly useful for me, so I don't generally use them myself (I think there are some reusable workflows somewhere in one of the codeql repositories) -- mostly they've made me dizzy (I tried to figure out a way to set up a reusable workflow for check-spelling, and it didn't seem to add any value).

I have very little time tomorrow and won't have time until Tuesday (Monday's a holiday in Canada). I expect to be moderately busy next week, but I can generally run commands if people provide them.

(Sorry, I have no idea how/why I missed your event this morning...)

jsoref avatar Feb 16 '24 03:02 jsoref