diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 69796f15e23..1aa6f66d6f2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -3,6 +3,9 @@ name: "CodeQL" # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags on: [push, pull_request] +# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: write-all + jobs: analyze: name: actions-codeql-analyze diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8af7fca298..8830563336c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: tags: - v6* +# Declare default permissions as read only. +permissions: read-all + jobs: envs: name: envs diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index eb36f731f5a..723919fd6c6 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,7 +2,8 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecard supply-chain security +name: Scorecard + on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -70,3 +71,8 @@ jobs: uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 with: sarif_file: results.sarif + + # Delete the SARIF file. + - uses: geekyeggo/delete-artifact@v2 + with: + name: SARIF file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5ca048ece60..ff895ee7a29 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -3,6 +3,9 @@ name: "Test" # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags on: [push, pull_request] +# Declare default permissions as read only. +permissions: read-all + # The dependency graph: # test(6m) # multiple-arch-armv7(13m)