Resolve CodeQL Workload Permissions

Author: davidcollom

.github/workflows/build-test.yaml

@@ -8,12 +8,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Setting some default permissions for all jobs
+permissions:
+  contents: read
+  security-events: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
-      checks: write # for golangci/golangci-lint-action to annotate Pull Requests
     name: Lint Go code
     runs-on: ubuntu-latest
     steps:
@@ -35,6 +38,8 @@ jobs:
   code-scan:
     name: Code Scan
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -58,6 +63,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
+    permissions:
+      security-events: write
     steps:
       # We only need to checkout as govuln does the go setup...
       - name: Checkout code

.github/workflows/helm-test.yaml

@@ -11,11 +11,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+  checks: write
+
 jobs:
   lint:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Helm Chart
     runs-on: ubuntu-latest
     steps:

.github/workflows/release.yaml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-name:
     name: Generate a clean release name from the branch/tag