Merge pull request #457 from github/restrict-permissions

chrisgavin · web-flow · commit 33bb16c8b4cd · 2021-04-30T14:19:45.000+01:00
Restrict Actions token permissions in CodeQL workflow.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -13,6 +13,11 @@ jobs:
     outputs:
       versions: ${{ steps.compare.outputs.versions }}
 
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
     steps:
     - uses: actions/checkout@v2
     - name: Init with default CodeQL bundle from the VM image
@@ -59,6 +64,11 @@ jobs:
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
     steps:
     - uses: actions/checkout@v2
     - uses: ./init
