ci: restrict starter workflow permissions

Signed-off-by: Emmanuel Roullit <eroullit@github.com>
This commit is contained in:
Emmanuel Roullit
2023-01-27 14:13:04 +01:00
parent ac13a846c9
commit f07709949e
+9 -1
View File
@@ -9,13 +9,21 @@ on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
php-security:
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
@@ -27,4 +35,4 @@ jobs:
- name: Upload Security Analysis results to GitHub
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
sarif_file: results.sarif