fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482)

2026-03-06 09:56:27 +00:00 · 2026-03-06 02:44:56 +02:00
parent 455267f892
commit ae4ad9ec80
12 changed files with 32 additions and 35 deletions
--- a/.github/workflows/codeql-new.yml
+++ b/.github/workflows/codeql-new.yml
@@ -13,17 +13,16 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      actions: read
      contents: read
+      security-events: write

    strategy:
      fail-fast: false