Add permissions block and actions analysis

This change does two things. If it is complicated to review
I will split up.

First, this ensures that all workflows have minimal permissions
blocks. Second, this adds actions analysis.

Author: aeisenberg

.github/workflows/cli-test.yml

@@ -17,6 +17,8 @@ jobs:
   find-nightly:
     name: Find Nightly Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       url: ${{ steps.get-url.outputs.nightly-url }}
     steps:
@@ -33,6 +35,8 @@ jobs:
   set-matrix:
     name: Set Matrix for cli-test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -47,6 +51,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: [find-nightly, set-matrix]
     timeout-minutes: 30
+    permissions:
+      contents: read
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]

.github/workflows/codeql.yml

@@ -11,6 +11,12 @@ on:
 jobs:
   codeql:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        language:
+          - javascript
+          - actions
+      fail-fast: false
 
     permissions:
       contents: read
@@ -24,7 +30,7 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@main
         with:
-            languages: javascript
+            languages: ${{ matrix.language }}
             config-file: ./.github/codeql/codeql-config.yml
             tools: latest
 

.github/workflows/e2e-tests.yml

@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   e2e-test:
     name: E2E Test

.github/workflows/label-issue.yml

@@ -3,6 +3,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  issues: write
+
 jobs:
   label:
     name: Label issue

.github/workflows/main.yml

@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build

.github/workflows/release.yml

@@ -16,6 +16,8 @@ jobs:
   build:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -156,6 +158,8 @@ jobs:
     needs: build
     environment: publish-open-vsx
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       OPEN_VSX_TOKEN: ${{ secrets.OPEN_VSX_TOKEN }}
     steps:

extensions/ql-vscode/eslint.config.js

@@ -0,0 +1,203 @@
+const { resolve } = require("path");
+
+const baseConfig = {
+  parser: "@typescript-eslint/parser",
+  files: [".js", ".ts", ".tsx "],
+
+  parserOptions: {
+    ecmaVersion: 2018,
+    sourceType: "module",
+    project: [
+      resolve(__dirname, "tsconfig.lint.json"),
+      resolve(__dirname, "src/**/tsconfig.json"),
+      resolve(__dirname, "test/**/tsconfig.json"),
+      resolve(__dirname, "gulpfile.ts/tsconfig.json"),
+      resolve(__dirname, "scripts/tsconfig.json"),
+      resolve(__dirname, ".storybook/tsconfig.json"),
+    ],
+  },
+  plugins: ["github", "@typescript-eslint", "etc"],
+  env: {
+    node: true,
+    es6: true,
+  },
+  extends: [
+    "eslint:recommended",
+    "plugin:github/recommended",
+    "plugin:github/typescript",
+    "plugin:jest-dom/recommended",
+    "plugin:prettier/recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:import/recommended",
+    "plugin:import/typescript",
+    "plugin:deprecation/recommended",
+  ],
+  rules: {
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/no-unused-vars": [
+      "warn",
+      {
+        vars: "all",
+        args: "none",
+        ignoreRestSiblings: false,
+      },
+    ],
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/no-floating-promises": ["error", { ignoreVoid: true }],
+    "@typescript-eslint/no-invalid-this": "off",
+    "@typescript-eslint/no-shadow": "off",
+    "prefer-const": ["warn", { destructuring: "all" }],
+    "@typescript-eslint/only-throw-error": "error",
+    "@typescript-eslint/consistent-type-imports": "error",
+    "import/consistent-type-specifier-style": ["error", "prefer-top-level"],
+    curly: ["error", "all"],
+    "escompat/no-regexp-lookbehind": "off",
+    "etc/no-implicit-any-catch": "error",
+    "filenames/match-regex": "off",
+    "i18n-text/no-en": "off",
+    "no-invalid-this": "off",
+    "no-console": "off",
+    "no-shadow": "off",
+    "github/array-foreach": "off",
+    "github/no-then": "off",
+    "react/jsx-key": ["error", { checkFragmentShorthand: true }],
+    "import/no-cycle": "error",
+    // Never allow extensions in import paths, except for JSON files where they are required.
+    "import/extensions": ["error", "never", { json: "always" }],
+  },
+  settings: {
+    "import/resolver": {
+      typescript: true,
+      node: true,
+    },
+    "import/extensions": [".js", ".jsx", ".ts", ".tsx", ".json"],
+    // vscode and sarif don't exist on-disk, but only provide types.
+    "import/core-modules": ["vscode", "sarif"],
+  },
+};
+
+module.exports = [
+  baseConfig,
+  {
+    ignores: [
+      ".vscode-test/",
+      "node_modules/",
+      "out/",
+      "build/",
+
+      // Ignore js files
+      "**/.*",
+      "**/jest.config.js",
+      "test/vscode-tests/activated-extension/jest-runner-vscode.config.js",
+      "test/vscode-tests/cli-integration/jest-runner-vscode.config.js",
+      "test/vscode-tests/jest-runner-vscode.config.base.js",
+      "test/vscode-tests/minimal-workspace/jest-runner-vscode.config.js",
+      "test/vscode-tests/no-workspace/jest-runner-vscode.config.js",
+
+      // Include the Storybook config
+      "!.storybook"
+    ]
+  },
+  {
+    files: ["src/stories/**/*"],
+    parserOptions: {
+      project: resolve(__dirname, "src/stories/tsconfig.json"),
+    },
+    extends: [
+      ...baseConfig.extends,
+      "plugin:react/recommended",
+      "plugin:react/jsx-runtime",
+      "plugin:react-hooks/recommended",
+      "plugin:storybook/recommended",
+      "plugin:github/react",
+    ],
+    rules: {
+      ...baseConfig.rules,
+    },
+    settings: {
+      react: {
+        version: "detect",
+      },
+    },
+  },
+  {
+    files: ["src/view/**/*"],
+    parserOptions: {
+      project: resolve(__dirname, "src/view/tsconfig.json"),
+    },
+    extends: [
+      ...baseConfig.extends,
+      "plugin:react/recommended",
+      "plugin:react/jsx-runtime",
+      "plugin:react-hooks/recommended",
+      "plugin:github/react",
+    ],
+    rules: {
+      ...baseConfig.rules,
+    },
+    settings: {
+      react: {
+        version: "detect",
+      },
+    },
+  },
+  {
+    files: ["test/vscode-tests/**/*"],
+    parserOptions: {
+      project: resolve(__dirname, "test/tsconfig.json"),
+    },
+    env: {
+      jest: true,
+    },
+    rules: {
+      ...baseConfig.rules,
+      // We want to allow mocking of functions in modules, so we need to allow namespace imports.
+      "import/no-namespace": "off",
+      "@typescript-eslint/no-unsafe-function-type": "off",
+    },
+  },
+  {
+    files: ["test/**/*"],
+    parserOptions: {
+      project: resolve(__dirname, "test/tsconfig.json"),
+    },
+    env: {
+      jest: true,
+    },
+    rules: {
+      "@typescript-eslint/no-explicit-any": "off",
+    },
+  },
+  {
+    files: [
+      ".eslintrc.js",
+      "test/**/jest-runner-vscode.config.js",
+      "test/**/jest-runner-vscode.config.base.js",
+    ],
+    parser: undefined,
+    plugins: ["github"],
+    extends: [
+      "eslint:recommended",
+      "plugin:github/recommended",
+      "plugin:prettier/recommended",
+    ],
+    rules: {
+      "import/no-commonjs": "off",
+      "prefer-template": "off",
+      "filenames/match-regex": "off",
+      "@typescript-eslint/no-var-requires": "off",
+    },
+  },
+  {
+    files: [".storybook/**/*.tsx"],
+    parserOptions: {
+      project: resolve(__dirname, ".storybook/tsconfig.json"),
+    },
+    rules: {
+      ...baseConfig.rules,
+      // Storybook doesn't use the automatic JSX runtime in the addon yet, so we need to allow
+      // `React` to be imported.
+      "import/no-namespace": ["error", { ignore: ["react"] }],
+    },
+  },
+];