mirror of
https://github.com/fleetdm/fleet
synced 2026-05-18 06:28:40 +00:00
e6c6b7e840
* Added explicit read permissions + tweaked permissions As a part of #4698 - this should fix the remaining warnings we get from the OSSF scorecard in relation to github workflows. They now all have explicit read permissions with more granular permissions granted in jobs. * Update tfsec.yml New workflow that I had not fixed in this PR.
36 lines
939 B
YAML
36 lines
939 B
YAML
name: tfsec
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- '**.tf'
|
|
pull_request:
|
|
paths:
|
|
- '**.tf'
|
|
workflow_dispatch: # Manual dispatch
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
tfsec:
|
|
permissions:
|
|
contents: read # for actions/checkout to fetch code
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
name: tfsec sarif report
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Clone repo
|
|
uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
|
|
|
|
- name: tfsec
|
|
uses: tfsec/tfsec-sarif-action@7ae00b384bff7f14cfa52cc3c73a5e6807a41398
|
|
with:
|
|
sarif_file: tfsec.sarif
|
|
|
|
- name: Upload SARIF file
|
|
uses: github/codeql-action/upload-sarif@883476649888a9e8e219d5b2e6b789dc024f690c # v1
|
|
with:
|
|
# Path to SARIF file relative to the root of the repository
|
|
sarif_file: tfsec.sarif
|