Configure GITHUB_TOKEN permissions (#18348)

* Add 'permissions' to reference page

* Final set of pre-review changes

* Update content/actions/learn-github-actions/security-hardening-for-github-actions.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update data/reusables/github-actions/workflow-permissions-intro.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/reference/authentication-in-a-workflow.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update data/reusables/github-actions/publish-to-packages-workflow-step.md

Co-authored-by: Sarah Edwards <skedwards88@github.com>

* Update content/actions/guides/publishing-nodejs-packages.md

* Update content/actions/guides/publishing-java-packages-with-gradle.md

* Update content/actions/guides/publishing-java-packages-with-maven.md

* Update content/actions/guides/publishing-nodejs-packages.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/learn-github-actions/security-hardening-for-github-actions.md

* Update content/actions/reference/authentication-in-a-workflow.md

* Update content/actions/reference/workflow-syntax-for-github-actions.md

* Update content/actions/reference/workflow-syntax-for-github-actions.md

* Update content/actions/reference/workflow-syntax-for-github-actions.md

* Update content/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository.md

* Update content/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization.md

* Update content/github/setting-up-and-managing-your-enterprise/enforcing-github-actions-policies-in-your-enterprise-account.md

* Update content/packages/guides/using-github-packages-with-github-actions.md

* Make review comment changes (locally)

* Resolve conflicts caused by remotely made review changes

* Remove translation file changes from PR.

* Remove rogue indentation in Important box

* Remove sentence about default being set to restricted.

This *will* be the case for new repos in future,
but that isn't being shipped at the moment.

* Add permissions to workflow examples (#18393)

Co-authored-by: Sarah Edwards <skedwards88@github.com>

content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning.md

@@ -154,6 +154,51 @@ If your workflow does not contain a matrix called `language`, then {% data varia
   with:
     languages: cpp, csharp, python
 ```
+{% if currentVersion == "free-pro-team@latest" %}
+### Analyzing Python dependencies
+
+For GitHub-hosted runners that use Linux only, the {% data variables.product.prodname_codeql_workflow %} will try to auto-install Python dependencies to give more results for the CodeQL analysis. You can control this behavior by specifying the `setup-python-dependencies` parameter for the action called by the "Initialize CodeQL" step. By default, this parameter is set to `true`:
+
+-  If the repository contains code written in Python, the "Initialize CodeQL" step installs the necessary dependencies on the GitHub-hosted runner. If the auto-install succeeds, the action also sets the environment variable `CODEQL_PYTHON` to the Python executable file that includes the dependencies.
+
+- If the repository doesn't have any Python dependencies, or the dependencies are specified in an unexpected way, you'll get a warning and the action will continue with the remaining jobs. The action can run successfully even when there are problems interpreting dependencies, but the results may be incomplete.
+
+Alternatively, you can install Python dependencies manually on any operating system. You will need to add `setup-python-dependencies` and set it to `false`, as well as set `CODEQL_PYTHON` to the Python executable that includes the dependencies, as shown in this workflow extract:
+
+```yaml
+jobs:
+  CodeQL-Build:
+
+    runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
+    permissions:
+      security-events: write
+      actions: read{% endif %}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.x'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        if [ -f requirements.txt ];
+        then pip install -r requirements.txt;
+        fi
+        # Set the `CODEQL-PYTHON` environment variable to the Python executable
+        # that includes the dependencies
+        echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: python
+        # Override the default behavior so that the action doesn't attempt
+        # to auto-install Python dependencies
+        setup-python-dependencies: false
+```
+{% endif %}
 
 ### Running additional queries
 

content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-a-container.md

@@ -44,7 +44,10 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest 
+    runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
+    permissions:
+      security-events: write
+      actions: read{% endif %}
 
     strategy:
       fail-fast: false

content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md

@@ -29,7 +29,10 @@ If an automatic build of code for a compiled language within your project fails,
 
   ```yaml
   jobs:
-    analyze:
+    analyze:{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
+      permissions:
+        security-events: write
+        actions: read{% endif %}
       ...
       strategy:
         fail-fast: false

content/github/finding-security-vulnerabilities-and-errors-in-your-code/uploading-a-sarif-file-to-github.md

@@ -63,7 +63,9 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
+    permissions:
+      security-events: write{% endif %}
     steps:
     # This step checks out a copy of your repository.
     - name: Checkout repository
@@ -95,6 +97,9 @@ on:
 
 jobs:
   build:
+    runs-on: ubuntu-latest{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.1" or currentVersion == "github-ae@next" %}
+    permissions:
+      security-events: write{% endif %}
     steps:
     - uses: actions/checkout@v2
     - name: Run npm install