diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 3b24d9f..92707b1 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index f4e9b8c..a685323 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 48249fc..3462eaa 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -42,9 +42,15 @@ on: - cron: $cron-weekly workflow_dispatch: +permissions: + contents: read + jobs: xanitizer-security-analysis: # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 841a2fd..d7c27d9 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest