Specify default permissions for GitHub Action: CodeQL Create Issues

[castillios]

Fixes #8580

What changes did you make?

• Add a default permissions block in .github/workflows/codeql_create_issues.yml:

permissions:
  actions: read
  contents: read
  security-events: write
  issues: read

• Tweak permissions block specified in original issue to resolve an error in testing. See testing log containing said error at the bottom of this PR.
  • Add actions: read and security-events: write permissions

Why did you make the changes (we will use this info to test)?

• Adding a default permissions block helps limit workflows to what is needed by minimizing unnecessary permissions, as per GitHub security best practices.
• The permissions block specified in the original issue did not contain actions: read and security-events: write. As a result, the workflow would throw an error. After my conversation with Will, I added these two specifications in the original issue to resolve this.

CodeQL Alerts

After the PR has been submitted and the resulting GitHub actions/checks have been completed, developers should check the PR for CodeQL alert annotations.

Check the PR's comments. If present on your PR, the CodeQL alert looks similar as shown

Please let us know that you have checked for CodeQL alerts. Please do not dismiss alerts.

• I have checked this PR for CodeQL alerts and none were found.
• I found CodeQL alert(s), and (select one):
  • I have resolved the CodeQL alert(s) as noted
  • I believe the CodeQL alert(s) is a false positive (Merge Team will evaluate)
  • I have followed the Instructions below, but I am still stuck (Merge Team will evaluate)

Instructions for resolving CodeQL alerts

If CodeQL alert/annotations appear, refer to How to Resolve CodeQL alerts.

In general, CodeQL alerts should be resolved prior to PR reviews and merging

Screenshots of Proposed Changes To The Website (if any, please do not include screenshots of code changes)

• No visual changes to the website.
• I tested the CodeQL Create Issues workflow on my fork.
• In the following test logs, click Workflow File to see the updated .yml file
• Test Log with error (before permissions block was updated)
• Test Log with success (with final changes)

[github-actions]

Want to review this pull request? Take a look at this documentation for a step by step guide!

---

From your project repository, check out a new branch and test the changes.

git checkout -b castillios-test-codeql-create-issues-gha-8580 gh-pages
git pull https://github.com/castillios/website.git test-codeql-create-issues-gha-8580

[t-will-gillis]

Hey @castillios - Great job on this! All the basics are there:

• correct branches
• linked issue
• brief descriptions of what was changed and why
• linked test logs

Thanks for your work on this issue, and for noting that additional permissions were required beyond what the original issue stated.

[t-will-gillis]

Hey @Tomlu60220244 and @castillios -
I will leave this message on both PRs. If either of you have time in the next couple of days, consider reviewing each other’s PR since they both involve GHAs and you have both set up your environments for testing.

• Specify default permissions for check closed issue workflow #8665 To test, you only need to close an issue and make sure the workflow runs. Note that if the automation decides the issue you are closing should be reopened, the workflow will fail at a later point- the “Reopen Issue” step- this is expected and you can ignore it.
• Specify default permissions for GitHub Action: CodeQL Create Issues #8667 To test, you just need to manually trigger the “Code QL Create Issues” workflow from the left side of the “Actions” page.

If either of you don’t have time to get to this, I will merge these PR’s in a few days. (Message me if I forget!)

[castillios]

Hi @t-will-gillis, thanks for bringing this up! I'll assign myself to the PR you mentioned and review it soon.

[Tomlu60220244]

ETA: 6/1/2026
Availability: evenings during these two days.