ci: tighten codeql and labeler even more

by moving the read permissions to the top level and
granting additional permissions to the specific jobs.
It should help to prevent new jobs that could be added
there eventually from having write access to resources they
most likely would never need.

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c003cc517965f082baa47de9fcf13c72ed5fac69..460002eaeb1354730e68564fec4fc5ce00509ecf 100644 (file)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -20,7 +23,6 @@ jobs:
       cancel-in-progress: true
     permissions:
       actions: read
-      contents: read
       security-events: write
 
     strategy:

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 800f8877a3f616d685092110a7ff3e5f48174a27..34d9d63d42c913f320ee5e4665e3bdb7cd41fff5 100644 (file)
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -9,11 +9,12 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
     - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e
       with: