From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sun, 14 Nov 2021 09:41:42 +0000 (+0000)
Subject: ci: tighten codeql and labeler even more
X-Git-Tag: v250-rc1~265^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=510afa460acad51a05e627f61d62a33f066b78da;p=thirdparty%2Fsystemd.git

ci: tighten codeql and labeler even more

by moving the read permissions to the top level and
granting additional permissions to the specific jobs.
It should help to prevent new jobs that could be added
there eventually from having write access to resources they
most likely would never need.
---

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c003cc51796..460002eaeb1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -20,7 +23,6 @@ jobs:
       cancel-in-progress: true
     permissions:
       actions: read
-      contents: read
       security-events: write
 
     strategy:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 800f8877a3f..34d9d63d42c 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -9,11 +9,12 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
     - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e
       with: