Description
Hello,
I've come across quite a few issues in the repo here that seem to boil down to people not knowing what permissions are needed for enabling CodeQL to work in their workflows. I believe for private repo they are:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: readThese were documented in an old version of the README, which was super helpful. This was removed by this commit.
The documentation the current README points to seems to focus around enabling CodeQL or Advanced Security for new repos or enabling it for the first time.
But we have several repos that have been around for some time. It doesn't seem right that we should disable/remove CodeQL only to re-enable it using the "defaults" listed above.
I've clicked through all of the links that the current README point to but none of them describe what permissions the code scanning features require. This information seems important to capture somewhere. As a security minded organization, we want to make sure we're only enabling the minimum set of permissions in a repo, and it would be helpful to understand also why a certain action requires a particular permission.
Could we please add a note on permissions on either the About code scanning with CodeQL page, or one that is easily found from that page?
Thanks!