Merge branch '4.1.x'

snicoll · snicoll · commit c4da31cdd4e8 · 2025-07-07T13:07:24.000+02:00
Closes gh-1629
diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml
@@ -2,7 +2,9 @@ name: Build and Deploy Snapshot
 on:
   push:
     branches:
-      - main
+      - 'main'
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - 'main'
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - v5.0.[0-9]+
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
diff --git a/.github/workflows/run-codeql-analysis.yml b/.github/workflows/run-codeql-analysis.yml
@@ -0,0 +1,15 @@
+name: "Run CodeQL Analysis"
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: '45 2 * * 1'
+permissions: read-all
+jobs:
+  run-analysis:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@6e66995f7d29de1e4ff76e4f0def7a10163fe910
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -24,6 +24,8 @@ on:
       token:
         description: 'Token to use for authentication with GitHub'
         required: true
+permissions:
+  contents: read
 jobs:
   verify:
     name: Verify
