canonical · niemeyer · Apr 27, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 20, 2026
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -8,14 +8,21 @@ jobs:
   scan:
     name: Scan for known vulnerabilities
     runs-on: ubuntu-latest
+    # The codeql-action/upload-sarif action can only use the built-in GitHub
+    # token. So use it and expand its permissions instead of using a fine-grained
+    # token.
+    # See https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml#L23
+    permissions:
+      security-events: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         # Scan binaries for all released architectures. Ensures catching
         # architecture-specific vulnerabilities.
         arch: [amd64, arm, arm64, ppc64le, s390x, riscv64]
     env:
-      TRIVY_RESULTS: 'trivy-results.sarif'
+      TRIVY_RESULTS: 'trivy-results.${{ matrix.arch }}.sarif'
       SCAN_DIR: 'release-scan'
     steps:
       - name: Download and extract latest release