From 10975deab8078629492cebfe7e177256652eabd0 Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:57:02 +0200 Subject: [PATCH] build: harden codeql-analysis.yml permissions Signed-off-by: Alex --- .github/workflows/codeql-analysis.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6155a3fe..98b4c4ef 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,8 +20,15 @@ on: schedule: - cron: '41 13 * * 1' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: analyze: + permissions: + contents: read # to fetch code (actions/checkout) + security-events: write # to upload SARIF results (github/codeql-action/analyze) + name: Analyze runs-on: ubuntu-latest