chore(ci): update Codacy Security Scan workflow

nanotaboada · nanotaboada · commit d5eff103edc7 · 2025-04-04T01:00:05.000-03:00
diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml
@@ -17,33 +17,29 @@ on:
   schedule:
     - cron: '0 21 * * 5' # Runs at 21:00, only on Friday
 
-permissions:
-  contents: read
-
 jobs:
   codacy-security-scan:
-    permissions:
-      contents: read
-      security-events: write
-      actions: read
     name: Codacy Security Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-      # Execute Codacy Analysis CLI and generate a SARIF output with the security
-      # issues identified during the analysis
+        uses: actions/checkout@main
+
       - name: Run Codacy Analysis CLI
         uses: codacy/codacy-analysis-cli-action@master
         with:
           project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
           verbose: true
           output: results.sarif
           format: sarif
+          # Adjust severity of non-security issues
           gh-code-scanning-compat: true
+          # Force 0 exit code to allow SARIF file generation
+          # This will hand over control about PR rejection to the GitHub side
           max-allowed-issues: 2147483647
+
       # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@main
         with:
           sarif_file: results.sarif
