Merge pull request #368 from diogoteles08/ci/set-workflows-permissions

CI: set minimal permissions to GitHub Workflows Looks great, thank you!
author: Marti Maria <marti.maria@littlecms.com> 2023-03-14 19:04:13 +0100
committer: GitHub <noreply@github.com> 2023-03-14 19:04:13 +0100
commit: bad332609443dd3ad38a73ca950a43c4f346f39f (patch)
tree: a6b461490c952fe416d77cb26a05cd669de4d99f
parent: 71758e5783f005769723b239c9aadbc724647d21 (diff)
parent: 63b3a350d637ecac45423609f85a68f7a5cedc9e (diff)
download: lcms2-bad332609443dd3ad38a73ca950a43c4f346f39f.tar.gz
2 files changed, 8 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b1cd3a2..cc03cc9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,6 +6,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.job }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
 
   Ubuntu:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 37da696..1527837 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,10 +14,16 @@ on:
   schedule:
     - cron: '0 6 * * 5'
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
 
     strategy:
       fail-fast: false
author	Marti Maria <marti.maria@littlecms.com>	2023-03-14 19:04:13 +0100
committer	GitHub <noreply@github.com>	2023-03-14 19:04:13 +0100
commit	bad332609443dd3ad38a73ca950a43c4f346f39f (patch)
tree	a6b461490c952fe416d77cb26a05cd669de4d99f
parent	71758e5783f005769723b239c9aadbc724647d21 (diff)
parent	63b3a350d637ecac45423609f85a68f7a5cedc9e (diff)
download	lcms2-bad332609443dd3ad38a73ca950a43c4f346f39f.tar.gz