From: Varun Sharma <varunsh@stepsecurity.io>
Date: Tue, 13 Sep 2022 19:41:16 +0000 (-0700)
Subject: ci: Add minimum GitHub token permissions for workflows (#1159)
X-Git-Tag: v4.7~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a39ed5824d8f4343e33b80575a9ba0bf0c73e89f;p=thirdparty%2Fccache.git

ci: Add minimum GitHub token permissions for workflows (#1159)
---

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index fe1e01a48..47e00207b 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build_and_test:
     env:
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index 4ae74ed8b..517808c04 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -17,8 +17,15 @@ on:
     # Full scan once a week
     - cron: '0 14 * * 3'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-20.04