Merge pull request #9701 from sashashura/patch-6

GitHub Workflows security hardening
2026-02-27 01:43:22 +00:00 · 2022-09-27 11:56:25 +10:00
parent b851aba81a 8ce82a9ad6
commit 561aa0e291
2 changed files with 7 additions and 0 deletions
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -1,5 +1,7 @@
 name: Linters
 on: [push, pull_request]
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
  rubocop:
    name: runner / rubocop
--- a/.github/workflows/mapi.yml
+++ b/.github/workflows/mapi.yml
@@ -1,7 +1,12 @@
 name: 'Mayhem for API'
 on: workflow_dispatch
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
  test:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # to upload SARIF results (github/codeql-action/upload-sarif)
    if: ${{ github.repository_owner == 'openfoodfoundation' }}
    runs-on: ubuntu-latest
    strategy: