CI: set minimal permissions to GitHub Workflows

Set top-level read-only permissions to all workflows; for the jobs that
require write-permissions, give them only job-level

Closes #366

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

2 files changed, 8 insertions, 0 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1590df3..3197ba0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.job }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
 
   Ubuntu:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 37da696..1527837 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,10 +14,16 @@ on:
   schedule:
     - cron: '0 6 * * 5'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
 
     strategy:
       fail-fast: false