ci: fix OpenSSF permission token issues (#24580)

renovatebot · Sep 21, 2023 · 3d7cf23 · 3d7cf23
1 parent ecf5744
commit 3d7cf23
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -21,12 +21,14 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  security-events: write
+  contents: read
 
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
     if: github.event.pull_request.draft != true
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
@@ -9,6 +9,9 @@ on:
       - reopened
       - ready_for_review
 
+permissions:
+  contents: read
+
 jobs:
   devcontainer-test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/update-data.yml b/.github/workflows/update-data.yml
@@ -8,12 +8,14 @@ env:
   NODE_VERSION: 18
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-data:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0