ci(codeql): explicitly grant runner token permissions

This allows us to make our runner token only have read-only permissions by default Signed-off-by: Seth Flynn <getchoo@tuta.io>
2026-06-29 01:54:20 +03:00 · 2026-02-02 16:51:58 -05:00 · 2026-02-02 16:51:58 -05:00 · e0ad6a2b3b
commit e0ad6a2b3b
parent f85e2ddb15
1 changed files with 6 additions and 0 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -58,10 +58,16 @@ on:
      - ".github/actions/setup-dependencies/**"
  workflow_dispatch:

+permissions: {}
+
 jobs:
  CodeQL:
    runs-on: ubuntu-latest

+    permissions:
+      contents: read
+      security-events: write
+
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6