diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d6226a1..d35787e 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,13 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: php-security: runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code @@ -27,4 +35,4 @@ jobs: - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif