From e0ad6a2b3b997b979138583f5dea5584c3fa5483 Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Mon, 2 Feb 2026 16:51:58 -0500
Subject: [PATCH] ci(codeql): explicitly grant runner token permissions

This allows us to make our runner token only have read-only permissions
by default

Signed-off-by: Seth Flynn <getchoo@tuta.io>
---
 .github/workflows/codeql.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e4830ddd9..dbc163715 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -58,10 +58,16 @@ on:
       - ".github/actions/setup-dependencies/**"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   CodeQL:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6