Merge pull request #457 from github/restrict-permissions

Restrict Actions token permissions in CodeQL workflow.
2021-04-30 14:19:45 +01:00 · 2021-04-30 14:19:45 +01:00 · 33bb16c8b4
commit 33bb16c8b4
parent 1585462c63 d879f4b84e
1 changed files with 10 additions and 0 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -13,6 +13,11 @@ jobs:
    outputs:
      versions: ${{ steps.compare.outputs.versions }}

+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
    steps:
    - uses: actions/checkout@v2
    - name: Init with default CodeQL bundle from the VM image
@ -59,6 +64,11 @@ jobs:
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
    steps:
    - uses: actions/checkout@v2
    - uses: ./init