ci: tighten codeql and labeler even more

by moving the read permissions to the top level and granting additional permissions to the specific jobs. It should help to prevent new jobs that could be added there eventually from having write access to resources they most likely would never need.
2025-02-23 13:57:33 +03:00 · 2021-11-14 09:41:42 +00:00 · 2021-11-14 09:41:42 +00:00 · 510afa460a
commit 510afa460a
parent b3a1fb795a
2 changed files with 5 additions and 2 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -11,6 +11,9 @@ on:
  schedule:
    - cron: '0 1 * * *'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
@ -20,7 +23,6 @@ jobs:
      cancel-in-progress: true
    permissions:
      actions: read
-      contents: read
      security-events: write

    strategy:
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -9,11 +9,12 @@ on:

 permissions:
  contents: read
-  pull-requests: write

 jobs:
  triage:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    steps:
    - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e
      with: