Merge branch 'main' into dependabot/npm_and_yarn/typescript-eslint/parser-4.29.1

Author: henrymercer

.eslintrc.json

@@ -14,11 +14,14 @@
     ],
     "rules": {
         "filenames/match-regex": ["error", "^[a-z0-9-]+(\\.test)?$"],
+        "i18n-text/no-en": "off",
         "import/extensions": "error",
         "import/no-amd": "error",
         "import/no-commonjs": "error",
         "import/no-dynamic-require": "error",
-        "import/no-extraneous-dependencies": ["error"],
+        // Disable the rule that checks that devDependencies aren't imported since we use a single
+        // linting configuration file for both source and test code.
+        "import/no-extraneous-dependencies": ["error", {"devDependencies": true}],
         "import/no-namespace": "off",
         "import/no-unresolved": "error",
         "import/no-webpack-loader-syntax": "error",
@@ -48,7 +51,8 @@
             "@typescript-eslint/prefer-regexp-exec": "off",
             "@typescript-eslint/require-await": "off",
             "@typescript-eslint/restrict-template-expressions": "off",
-            "func-style": "off"
+            "func-style": "off",
+            "sort-imports": "off"
         }
     }]
 }

.github/workflows/codeql.yml

@@ -17,8 +17,6 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
@@ -68,8 +66,6 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:

.github/workflows/pr-checks.yml

@@ -350,13 +350,12 @@ jobs:
         echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
         echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
         echo "Nightly CodeQL bundle version is $CODEQL_VERSION_NIGHTLY"
-        if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
-          # Skip `tools: latest` since it would be the same as `tools: null`
-          VERSIONS_JSON="[null, \"$NIGHTLY_URL\"]"
-        else
-          # Run integration tests with all three bundles.
-          VERSIONS_JSON="[null, \"$NIGHTLY_URL\", \"latest\"]"
-        fi
+
+        # Run integration tests with all three bundles, even if `tools: latest` would be the same as
+        # `tools: null`. This allows us to make all three kinds of integration tests required status
+        # checks on PRs.
+        VERSIONS_JSON="[null, \"$NIGHTLY_URL\", \"latest\"]"
+
         # Output a JSON-encoded list with the distinct versions to test against.
         echo "Suggested matrix config for integration tests: $VERSIONS_JSON"
         echo "::set-output name=versions::${VERSIONS_JSON}"

CHANGELOG.md

@@ -2,7 +2,11 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Update README to include a sample permissions block. [#689](https://github.com/github/codeql-action/pull/689)
+
+## 1.0.11 - 09 Aug 2021
+
+- Update default CodeQL bundle version to 2.5.9. [#687](https://github.com/github/codeql-action/pull/687)
 
 ## 1.0.10 - 03 Aug 2021
 

README.md

@@ -42,6 +42,14 @@ jobs:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
 
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2