GHA: clarify workflows permissions, set least possible privilege

Set top-level permissions to None on all workflows, setting per-job permissions. This avoids that new jobs inherit unwanted permissions. Discussion: https://curl.se/mail/lib-2022-11/0028.html Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Closes #9928
2026-04-15 03:41:41 +03:00 · 2022-11-16 11:55:33 -03:00 · 2022-11-16 11:55:33 -03:00 · a2f5a4ca6f
commit a2f5a4ca6f
parent 8fc2423338
14 changed files with 33 additions and 9 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -18,12 +18,13 @@ on:
 concurrency:
  group: ${{ github.workflow }}

-permissions:
-  security-events: write
+permissions: {}

 jobs:
  codeql:
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
    steps:
    - name: Checkout repository
      uses: actions/checkout@v3