ci: set minimal permisisons to GitHub Workflows

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
author: Diogo Teles Sant'Anna <diogoteles@google.com> 2023-05-03 13:59:32 -0300
committer: Diogo Teles Sant'Anna <diogoteles@google.com> 2023-05-03 13:59:32 -0300
commit: 474bcc1f6a691904a6733819e73fee0fa269fa77 (patch)
tree: fa1864c901905a3e1835a1623b9c7ae111e1edf2
parent: 2dec6845c7b40340ce4ca11ab6205586d01023ed (diff)
download: lcms2-474bcc1f6a691904a6733819e73fee0fa269fa77.tar.gz
2 files changed, 8 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9c34210..3b78131 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.job }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
 
   Ubuntu:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 37da696..1527837 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,10 +14,16 @@ on:
   schedule:
     - cron: '0 6 * * 5'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
 
     strategy:
       fail-fast: false
author	Diogo Teles Sant'Anna <diogoteles@google.com>	2023-05-03 13:59:32 -0300
committer	Diogo Teles Sant'Anna <diogoteles@google.com>	2023-05-03 13:59:32 -0300
commit	474bcc1f6a691904a6733819e73fee0fa269fa77 (patch)
tree	fa1864c901905a3e1835a1623b9c7ae111e1edf2
parent	2dec6845c7b40340ce4ca11ab6205586d01023ed (diff)
download	lcms2-474bcc1f6a691904a6733819e73fee0fa269fa77.tar.gz