From c8e69945dcca6d565ff8ed75ef4a2d9efb7ad2da Mon Sep 17 00:00:00 2001 From: Guillaume Delacour Date: Tue, 20 Jun 2023 18:07:41 +0200 Subject: [PATCH 1/4] Use CodeQL action --- .github/workflows/deploy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4f014ea..b0828bd 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -19,6 +19,9 @@ jobs: - name: checkout source code uses: actions/checkout@v3 + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + - name: Install Python uses: actions/setup-python@v4 with: @@ -32,6 +35,9 @@ jobs: cd lambda && zip -r ../lambda.zip . && \ ls -lh + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: From 19dbfa330ee9285e969ac60e8b8fdd4cd216817b Mon Sep 17 00:00:00 2001 From: Guillaume Delacour Date: Tue, 20 Jun 2023 18:09:31 +0200 Subject: [PATCH 2/4] Change permissions --- .github/workflows/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b0828bd..96cb42f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,6 +11,8 @@ jobs: permissions: id-token: write contents: read + actions: read + security-events: write strategy: matrix: python-version: [3.9] From d9a7570d2801ec430846c508a9131b1882784f67 Mon Sep 17 00:00:00 2001 From: Guillaume Delacour Date: Tue, 20 Jun 2023 18:17:15 +0200 Subject: [PATCH 3/4] Fix linter --- .github/workflows/deploy.yml | 2 +- .yaml-lint.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 .yaml-lint.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 96cb42f..55e1c77 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -7,7 +7,7 @@ jobs: build-deploy: runs-on: ubuntu-latest - # These permissions are needed to interact with GitHub's OIDC Token endpoint. + # These permissions are needed to interact with GitHub's OIDC Token endpoint permissions: id-token: write contents: read diff --git a/.yaml-lint.yml b/.yaml-lint.yml new file mode 100644 index 0000000..aa53554 --- /dev/null +++ b/.yaml-lint.yml @@ -0,0 +1,2 @@ +rules: + document-start: disable From f7cf966a4fcd93cbc68eb357702a90abbdf1c0cb Mon Sep 17 00:00:00 2001 From: Guillaume Delacour Date: Tue, 20 Jun 2023 18:28:56 +0200 Subject: [PATCH 4/4] Don't scan dependencies --- .github/workflows/deploy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 55e1c77..1d931db 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -23,6 +23,8 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 + with: + setup-python-dependencies: false - name: Install Python uses: actions/setup-python@v4