build: harden codeql-analysis.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>
2022-09-23 22:14:16 +02:00 · 2022-09-23 22:14:16 +02:00 · 13539bd8c6
commit 13539bd8c6
parent dbb97a62bf
1 changed files with 7 additions and 0 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -9,9 +9,16 @@ on:
  schedule:
    - cron: '0 22 * * 5'

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  CodeQL-Build:

+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # to upload SARIF results (github/codeql-action/analyze)
+
    runs-on: ubuntu-latest

    steps: