ci: Add minimum GitHub token permissions for workflows (#1159)

author Varun Sharma <varunsh@stepsecurity.io>

Tue, 13 Sep 2022 19:41:16 +0000 (12:41 -0700)

committer GitHub <noreply@github.com>

Tue, 13 Sep 2022 19:41:16 +0000 (21:41 +0200)
author Varun Sharma <varunsh@stepsecurity.io>
Tue, 13 Sep 2022 19:41:16 +0000 (12:41 -0700)
committer GitHub <noreply@github.com>
Tue, 13 Sep 2022 19:41:16 +0000 (21:41 +0200)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml

index fe1e01a4813d135a1522c201cb051c097103b1cf..47e00207b74ab09e22692e760883ac47b97d5b08 100644 (file)
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -11,6 +11,9 @@ defaults:
    run:
      shell: bash
  
+permissions:
+  contents: read
+
  jobs:
    build_and_test:
      env:
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml

index 4ae74ed8bacced3fb09d2d5bf851a9362f5fb13c..517808c0483e5dc928dfe57c28a4ed4950eb0368 100644 (file)
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -17,8 +17,15 @@ on:
      # Full scan once a week
      - cron: '0 14 * * 3'
  
+permissions:
+  contents: read
+
  jobs:
    analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
      name: Analyze
      runs-on: ubuntu-20.04
author	Varun Sharma <varunsh@stepsecurity.io>
	Tue, 13 Sep 2022 19:41:16 +0000 (12:41 -0700)
committer	GitHub <noreply@github.com>
	Tue, 13 Sep 2022 19:41:16 +0000 (21:41 +0200)
.github/workflows/build.yaml		patch \| blob \| blame \| history
.github/workflows/codeql-analysis.yaml		patch \| blob \| blame \| history