feat: use contents read permission for CodeQL and semgrep analysis jobs. by LillieEntur · Pull Request #182 · entur/gha-security

LillieEntur · 2026-03-16T13:36:30Z

💡 What does this PR do?

The pull request aims to remove usage of contents: write during workflow jobs that execute gradle jobs.

contents: write is only needed for uploading dependency graph, and only were required when the action was running in main branch, and no cached results were found. A new job were made to isolate the contents: write to only upload the dependency graph.

Closes: SIK-1886

🔧 List of changes

code-scan.yml
- explicitly define github-token as input to github actions instead of being hidden by default input
- replace contents: write with contents: read for semgrep-analysis and codeql-analysis jobs.
- add job upload-dependency-graph

📋 Checklist

Am familiar with the release pipeline for this project
I have verified that the project runs as expected after the new changes

… write from codeql and semgrep jobs

.github/workflows/code-scan.yml

LillieEntur added 3 commits March 12, 2026 13:56

chore: provide token to actions using with instead of default

90523d7

refactor: remove 'Get repository name' step from codeql-analysis job

bd314e5

refactor: move dependency-graph upload to own job to remove contents:…

0fae294

… write from codeql and semgrep jobs

LillieEntur marked this pull request as ready for review March 17, 2026 08:45

LillieEntur requested a review from a team as a code owner March 17, 2026 08:45

chore: update comment in code-scan.yml

94a3e21

EnturWilhelm requested changes Mar 17, 2026

View reviewed changes

.github/workflows/code-scan.yml Outdated Show resolved Hide resolved

.github/workflows/code-scan.yml Outdated Show resolved Hide resolved

.github/workflows/code-scan.yml Outdated Show resolved Hide resolved

chore: clean up github environment variables

ad3f481

LillieEntur requested a review from EnturWilhelm March 17, 2026 13:08

EnturWilhelm approved these changes Mar 17, 2026

View reviewed changes

chore: opt out of CodeQL Action file coverage on PRs change

cac5054

LillieEntur merged commit adeb7be into main Mar 18, 2026
4 checks passed

github-actions bot mentioned this pull request Mar 18, 2026

chore(main): release 2.11.0 #183

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: use contents read permission for CodeQL and semgrep analysis jobs.#182

feat: use contents read permission for CodeQL and semgrep analysis jobs.#182
LillieEntur merged 6 commits intomainfrom
feature/SIK-1886

LillieEntur commented Mar 16, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

LillieEntur commented Mar 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

💡 What does this PR do?

🔧 List of changes

📋 Checklist

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

LillieEntur commented Mar 16, 2026 •

edited

Loading