From f07709949e75d13e1511700953273eb80da4635c Mon Sep 17 00:00:00 2001 From: Emmanuel Roullit Date: Fri, 27 Jan 2023 14:13:04 +0100 Subject: [PATCH] ci: restrict starter workflow permissions Signed-off-by: Emmanuel Roullit --- code-scanning/psalm.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml index d6226a1..d35787e 100644 --- a/code-scanning/psalm.yml +++ b/code-scanning/psalm.yml @@ -9,13 +9,21 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: php-security: runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout code @@ -27,4 +35,4 @@ jobs: - name: Upload Security Analysis results to GitHub uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: results.sarif \ No newline at end of file + sarif_file: results.sarif