github
diff --git a/‎.github/workflows/code-scanning-pack-gen.yml‎
Lines changed: 14 additions & 8 deletions b/‎.github/workflows/code-scanning-pack-gen.yml‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎.github/workflows/codeql_unit_tests.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/codeql_unit_tests.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/dispatch-matrix-test-on-comment.yml‎
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/dispatch-matrix-test-on-comment.yml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎.github/workflows/dispatch-release-performance-check.yml‎
Lines changed: 7 additions & 3 deletions b/‎.github/workflows/dispatch-release-performance-check.yml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎.github/workflows/extra-rule-validation.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/extra-rule-validation.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/finalize-release.yml‎
Lines changed: 9 additions & 4 deletions b/‎.github/workflows/finalize-release.yml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎.github/workflows/generate-html-docs.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/generate-html-docs.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/prepare-release.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/prepare-release.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/standard_library_upgrade_tests.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/standard_library_upgrade_tests.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/tooling-unit-tests.yml‎
Lines changed: 9 additions & 7 deletions b/‎.github/workflows/tooling-unit-tests.yml‎
Lines changed: 9 additions & 7 deletions
@@ -1,4 +1,6 @@
 name: Code Scanning Query Pack Generation
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -26,7 +28,7 @@ jobs:
       matrix: ${{ steps.export-code-scanning-pack-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Export Code Scanning pack matrix
         id: export-code-scanning-pack-matrix
         run: |
@@ -42,7 +44,7 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJSON(needs.prepare-code-scanning-pack-matrix.outputs.matrix) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Cache CodeQL
         id: cache-codeql
@@ -68,25 +70,29 @@ jobs:
       - name: Determine ref for external help files
         id: determine-ref
         run: |
-          if [[ $GITHUB_EVENT_NAME == "pull_request" || $GITHUB_EVENT_NAME == "merge_group" ]]; then
-            echo "EXTERNAL_HELP_REF=$GITHUB_HEAD_REF" >> "$GITHUB_ENV"
+          if [[ $GITHUB_EVENT_NAME == "pull_request" ]]; then
+            EXTERNAL_HELP_REF="${{ github.event.pull_request.base.ref }}"
+          elif [[ $GITHUB_EVENT_NAME == "merge_group" ]]; then
+            EXTERNAL_HELP_REF="${{ github.event.merge_group.base_ref }}"
           else
-            echo "EXTERNAL_HELP_REF=$GITHUB_REF" >> "$GITHUB_ENV"
+            EXTERNAL_HELP_REF="$GITHUB_REF"
           fi
+          echo "EXTERNAL_HELP_REF=$EXTERNAL_HELP_REF" >> "$GITHUB_ENV"
           echo "Using ref $EXTERNAL_HELP_REF for external help files."
 
       - name: Checkout external help files
-        continue-on-error: true
         id: checkout-external-help-files
-        uses: actions/checkout@v4
+        # PRs from forks and dependabot do not have access to an appropriate token for cloning the help files repos
+        if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }}
+        uses: actions/checkout@v5
         with:
           ssh-key: ${{ secrets.CODEQL_CODING_STANDARDS_HELP_KEY }}
           repository: "github/codeql-coding-standards-help"
           ref: ${{ env.EXTERNAL_HELP_REF }}
           path: external-help-files
 
       - name: Include external help files
-        if: steps.checkout-external-help-files.outcome == 'success'
+        if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'&& steps.checkout-external-help-files.outcome == 'success' }}
         run: |
           pushd external-help-files
           find . -name '*.md' -exec rsync -av --relative {} "$GITHUB_WORKSPACE" \;
 
@@ -1,4 +1,6 @@
 name: CodeQL Unit Testing
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -23,7 +25,7 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Export unit test matrix
         id: export-unit-test-matrix
@@ -45,10 +47,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -166,7 +168,7 @@ jobs:
     steps:
       - name: Check if run-test-suites job failed to complete, if so fail
         if: ${{ needs.run-test-suites.result == 'failure' }}
-        uses: actions/github-script@v3
+        uses: actions/github-script@v8
         with:
           script: |
             core.setFailed('Test run job failed')
 
@@ -1,4 +1,8 @@
 name: 🤖 Run Matrix Check (On Comment)
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
 
 on:
   issue_comment:
@@ -9,7 +13,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check permission
         id: check-write-permission
@@ -19,7 +23,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
@@ -40,7 +44,7 @@ jobs:
           --json \
             -R github/codeql-coding-standards-release-engineering
 
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v8
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
 
@@ -1,4 +1,8 @@
 name: 🏁 Run Release Performance Check
+permissions:
+  contents: read
+  actions: write
+  pull-requests: write
 
 on:
   issue_comment:
@@ -9,7 +13,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check permission
         id: check-write-permission
@@ -19,7 +23,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
@@ -40,7 +44,7 @@ jobs:
           --json \
           -R github/codeql-coding-standards-release-engineering
 
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v8
         if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
 
@@ -1,4 +1,6 @@
 name: ⚙️ Extra Rule Validation
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -21,7 +23,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check Rules 
         shell: pwsh
@@ -33,7 +35,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Ensure CPP Shared Rules Have Valid Structure  
         shell: pwsh
 
@@ -1,4 +1,9 @@
 name: Finalize Release
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
 on:
   pull_request:
     types:
@@ -39,20 +44,20 @@ jobs:
           fi
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ env.REF }}
           fetch-depth: 0
           path: release 
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ env.TOOL_REF }}
           path: tooling 
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -103,7 +108,7 @@ jobs:
       - name: Generate token
         if: env.HOTFIX_RELEASE == 'false'
         id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
@@ -1,4 +1,6 @@
 name: Generate HTML documentation
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -20,10 +22,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
 
@@ -34,12 +34,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ inputs.ref }}
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -143,7 +143,7 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ vars.AUTOMATION_APP_ID }}
           private-key: ${{ secrets.AUTOMATION_PRIVATE_KEY }}
 
@@ -1,4 +1,6 @@
 name: CodeQL Standard Library Upgrade tests
+permissions:
+  contents: read
 
 # Run this workflow every time the "supported_codeql_configs.json" file is changed
 on:
@@ -19,7 +21,7 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Export unit test matrix
         id: export-unit-test-matrix
@@ -41,10 +43,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 
@@ -157,7 +159,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
 
@@ -1,4 +1,6 @@
 name: 🧰 Tooling unit tests
+permissions:
+  contents: read
 
 on:
   merge_group:
@@ -22,7 +24,7 @@ jobs:
       matrix: ${{ steps.export-supported-codeql-env-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Export supported CodeQL environment matrix
         id: export-supported-codeql-env-matrix
@@ -40,10 +42,10 @@ jobs:
       matrix: ${{ fromJSON(needs.prepare-supported-codeql-env-matrix.outputs.matrix) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -83,10 +85,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"
 
@@ -102,10 +104,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.9"