From 83dfa6c2a171e8aeb8a20903747648617c73efaf Mon Sep 17 00:00:00 2001
From: Kenny Leung <kleung@chainguard.dev>
Date: Wed, 23 Feb 2022 04:00:34 -0800
Subject: [PATCH] explicitly set permissions for github actions (#687)

Signed-off-by: Kenny Leung <kleung@chainguard.dev>
---
 .github/workflows/codeql-analysis.yml | 4 ++++
 .github/workflows/main.yml            | 3 +++
 .github/workflows/verify.yml          | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2c272bc..744e060 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -24,6 +24,10 @@ on:
   schedule:
     - cron: '45 10 * * 1'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9068d14..6bd914b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 315e56a..f8e34bb 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -17,6 +17,9 @@ name: Verify
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   license-check:
     name: license boilerplate check
-- 
GitLab