ci: add minimum GitHub token permissions for workflows (#6236)

Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>
2026-06-05 14:50:16 +00:00 · 2023-01-12 03:36:53 +05:30
parent 2745db131a
commit eb07385b02
3 changed files with 13 additions and 0 deletions
@@ -14,8 +14,15 @@ on:
  schedule:
    - cron: '0 23 * * 0'

+permissions:
+  contents: read
+
 jobs:
  analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
    name: Analyze
    runs-on: ubuntu-latest

@@ -4,6 +4,9 @@ on:
  push:
  pull_request:

+permissions:
+  contents: read
+
 jobs:
  lint:
    runs-on: ubuntu-20.04
@@ -2,6 +2,9 @@ name: Tests

 on: [push, pull_request]

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}