Merge branch 'master' into dependabot/github_actions/github/codeql-action-2

4 files changed, 16 insertions, 0 deletions

diff --git a/.github/workflows/face.yml b/.github/workflows/face.yml
index f67073b9151..5e244a5a409 100644
--- a/.github/workflows/face.yml
+++ b/.github/workflows/face.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 42002aeb592..94e9934846d 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index ea6acc5f9b6..bc46c75b502 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -11,8 +11,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/macosx.yml b/.github/workflows/macosx.yml
index f344f7d66c7..26699f42c46 100644
--- a/.github/workflows/macosx.yml
+++ b/.github/workflows/macosx.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy: