Workflows are missing permissions requests #15462
Description
https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/workflow
https://github.com/check-spelling-sandbox/codeql/actions/runs/7699091660/job/20979906681#step:19:55
Post job cleanup.
Warning: Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.
RequestError [HttpError]: Resource not accessible by integration
at /home/runner/work/_actions/github/codeql-action/v2/node_modules/@octokit/request/dist-node/index.js:86:21
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async requestWithGraphqlErrorHandling (/home/runner/work/_actions/github/codeql-action/v2/node_modules/@octokit/plugin-retry/dist-node/index.js:71:20)
at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v2/node_modules/bottleneck/light.js:405:18) {
status: 403,
response: {
url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
status: 403,
headers: {
'access-control-allow-origin': '*',
'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
connection: 'close',
'content-encoding': 'gzip',
'content-security-policy': "default-src 'none'",
'content-type': 'application/json; charset=utf-8',
date: 'Mon, 29 Jan 2024 16:16:02 GMT',
'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
server: 'GitHub.com',
'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
'transfer-encoding': 'chunked',
vary: 'Accept-Encoding, Accept, X-Requested-With',
'x-content-type-options': 'nosniff',
'x-frame-options': 'deny',
'x-github-api-version-selected': '2022-11-28',
'x-github-media-type': 'github.v3; format=json',
'x-github-request-id': '94E3:79CB:3878D:7311B:65B7CF42',
'x-ratelimit-limit': '1000',
'x-ratelimit-remaining': '961',
'x-ratelimit-reset': '1706548556',
'x-ratelimit-resource': 'core',
'x-ratelimit-used': '39',
'x-xss-protection': '0'
},
data: {
message: 'Resource not accessible by integration',
documentation_url: 'https://docs.github.com/rest'
}
},
request: {
method: 'PUT',
url: 'https://api.github.com/repos/check-spelling-sandbox/codeql/code-scanning/analysis/status',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'CodeQL-Action/2.23.2 octokit-core.js/3.6.0 Node.js/16.20.2 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"action_name":"init-post","action_oid":"unknown","action_ref":"v2","action_started_at":"2024-01-29T16:16:02.392Z","action_version":"2.23.2","analysis_key":".github/workflows/ql-for-ql-dataset_measure.yml:measure","commit_oid":"aeae208dc3291109d6c798179bb8944961348823","job_name":"measure","job_run_uuid":"75681a8a-17f0-4c74-b850-172cffab9a66","ref":"refs/heads/main","runner_available_disk_space_bytes":31716970496,"runner_os":"Linux","runner_total_disk_space_bytes":89297309696,"started_at":"2024-01-29T16:16:01.614Z","status":"success","testing_environment":"","workflow_name":"Collect database stats for QL for QL","workflow_run_attempt":1,"workflow_run_id":7699091660,"completed_at":"2024-01-29T16:16:02.416Z","matrix_vars":"{\\n \\"repo\\": \\"github/codeql\\"\\n}","runner_arch":"X64","runner_image_version":"20240126.1.0","job_status":"JOB_STATUS_UNKNOWN"}',
request: { agent: [Agent], hook: [Function: bound bound register] }
}
}
Error: Resource not accessible by integration
I presume that it needs:
permissions:
security-events: write
or similar, but this api isn't documented in https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28 so I have absolutely no idea.