I have absolutely no idea how GitHub's "Code scanning alerts" shall work

[hilbix]

• First I failed to enable it due to missing Actions.
  • This relation was completely undocumented and I found out only by using Google and Stackoverflow.
• Then Actions failed due to action permissions.
  • Note that the needed minimal permission set is completely undocumented at all!
  • Also completely undocumented is how to re-run actions.
  • Also the default workflow, which shall suit most cases, is completely nuts. It restricts to master which git is about to get rid of, and it has a some time based scanning, which (makes no sense at all to me, because time based re-Evaluation is either a complete waste of effort or always comes too late when dependencies get troyaned, and) also needs to be manually (for every and all of my repositories, probably).
• After raising the actions to the next level just nothing happens.
• Then diving into the docs of this thing I got completely lost.
  • lost in the maze of references to references to references explaining things with links that link to links and even deeper down.
  • I am totally drowned.
  • Where is: "click here, then there, than this, and done with a minimal working setup with perfect security."

What am I doing wrong? What is the right minimal permission set needed to gain security? How does such a report look like and what am I supposed to see (or do not see due to some silent failure at some hidden detail)?

Note that it is insane to have a permanent lowered security setting just to, perhaps, gain some more security at some other place, by chance or even less.

So what are the secure settings to do security scans? (Or is this a trick question to see how many fall to no security at all for the promise of some obscure security?)

[hilbix]

To stress it:

"Requiring full write to the repo" will never be allowed. No automated process will get this right for strict security reasons.

I already asked GitHubMicrosoft to allow a 2nd scratch-account to protect against permission nightmares (like Travis-CI), but this was declined with no exception. (Perhaps I will retry with some scratch-organization, but AFAICS somemost of those nightmares directly operate on the account level, hence would void your account's safety for no good reason at all, just because they can).

Note to all hackers out there: Please never hack Travis-CI!

Because if you manage to crack into Travis-CI, you immediately gain full read and write access to the majority of security related repositories here on GitHub.

Hacking Travis-CI would not be just some nuclear option. It would be like killing our entire galaxy cluster FTL!