diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4fdbc1fcd..31ccdacb6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -495,6 +495,9 @@ jobs: run: rm -rf ./release-packages ./test/test-results trivy-scan-repo: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-20.04 steps: - name: Checkout repo diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e4b02aaa0..efe068fbd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -17,8 +17,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-20.04 diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 5002c3e81..bf0f4eaa0 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: ubuntu: name: Test installer on Ubuntu