From 8d8e77657367220a7381ea9e0ab333500eb52b69 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Tue, 7 Apr 2026 11:51:16 +0200 Subject: [PATCH 1/4] ci: set specific name on arch-specific results --- .github/workflows/security.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 017c21b3..4a3b2dee 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -15,7 +15,7 @@ jobs: # architecture-specific vulnerabilities. arch: [amd64, arm, arm64, ppc64le, s390x, riscv64] env: - TRIVY_RESULTS: 'trivy-results.sarif' + TRIVY_RESULTS: 'trivy-results.${{ matrix.arch }}.sarif' SCAN_DIR: 'release-scan' steps: - name: Download and extract latest release @@ -45,6 +45,7 @@ jobs: uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: sarif_file: ${{ env.TRIVY_RESULTS }} + token: ${{ secrets.ROCKSBOT_CHISEL_SECURITY_EVENTS }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ !cancelled() }} From fb487483d006a1a45e72e9365578b9a173f5696a Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Tue, 7 Apr 2026 14:36:45 +0200 Subject: [PATCH 2/4] ci: use GH token to upload SARIF report --- .github/workflows/security.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 4a3b2dee..a7085e38 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -8,6 +8,9 @@ jobs: scan: name: Scan for known vulnerabilities runs-on: ubuntu-latest + permissions: + security-events: write + contents: read strategy: fail-fast: false matrix: @@ -45,7 +48,6 @@ jobs: uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: sarif_file: ${{ env.TRIVY_RESULTS }} - token: ${{ secrets.ROCKSBOT_CHISEL_SECURITY_EVENTS }} - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: ${{ !cancelled() }} From cdb63b959721ebd61560dc2b2afedb79dbcaa5b0 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Mon, 20 Apr 2026 15:27:35 +0200 Subject: [PATCH 3/4] docs: clarify the need to use the default token --- .github/workflows/security.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index a7085e38..dab1935f 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -8,6 +8,9 @@ jobs: scan: name: Scan for known vulnerabilities runs-on: ubuntu-latest + # The codeql-action/upload-sarif action can only use the built-in GH token. + # So use it and expand its permissions instead od using a fine-grained token. + # See https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml#L23 permissions: security-events: write contents: read From c5da7222f348ed2580bef8b53960b563abc38137 Mon Sep 17 00:00:00 2001 From: Paul Mars Date: Fri, 24 Apr 2026 13:42:12 +0200 Subject: [PATCH 4/4] style: correct typo --- .github/workflows/security.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index dab1935f..f43e0043 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -8,8 +8,9 @@ jobs: scan: name: Scan for known vulnerabilities runs-on: ubuntu-latest - # The codeql-action/upload-sarif action can only use the built-in GH token. - # So use it and expand its permissions instead od using a fine-grained token. + # The codeql-action/upload-sarif action can only use the built-in GitHub + # token. So use it and expand its permissions instead of using a fine-grained + # token. # See https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml#L23 permissions: security-events: write