From a39ed5824d8f4343e33b80575a9ba0bf0c73e89f Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Tue, 13 Sep 2022 12:41:16 -0700
Subject: ci: Add minimum GitHub token permissions for workflows (#1159)

---
 .github/workflows/build.yaml           | 3 +++
 .github/workflows/codeql-analysis.yaml | 7 +++++++
 2 files changed, 10 insertions(+)

(limited to '.github')

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index fe1e01a4..47e00207 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -11,6 +11,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build_and_test:
     env:
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index 4ae74ed8..517808c0 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -17,8 +17,15 @@ on:
     # Full scan once a week
     - cron: '0 14 * * 3'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-20.04
 
-- 
cgit v1.2.1