[StepSecurity] ci: Harden GitHub Actions (#201)

step-security-bot · web-flow · commit df49cb21f4fb · 2024-09-10T19:04:05.000-07:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -19,13 +19,18 @@ on:
   schedule:
     - cron: '34 18 * * 6'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (C/C++)
     runs-on: windows-latest
     timeout-minutes: 360
     permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
       packages: read
 
     steps:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -17,6 +17,9 @@ on:
       - build/*.ps1
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -17,6 +17,9 @@ on:
       - build/*.ps1
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
