From 4570e7b326d36de4e7c7b2cd9eee89621aa8b394 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 2 Jul 2024 17:41:51 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/basic_func_tests.yml | 3 +++ .github/workflows/codeql.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/basic_func_tests.yml b/.github/workflows/basic_func_tests.yml index d94a5357..37954879 100644 --- a/.github/workflows/basic_func_tests.yml +++ b/.github/workflows/basic_func_tests.yml @@ -14,6 +14,9 @@ on: workflow_dispatch: # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 39adb93f..281bcd86 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '41 23 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }})