gh: Lower ossf compiler scanner permissions

garazdawi · garazdawi · commit c9601cd9ff90 · 2024-11-18T10:36:36.000+01:00
diff --git a/.github/workflows/ossf-compiler-flags-scanner.yaml b/.github/workflows/ossf-compiler-flags-scanner.yaml
@@ -27,18 +27,20 @@ on:
     - cron: 0 1 * * *
 
 permissions:
-  # Required to upload SARIF file to CodeQL.
-  # See: https://github.com/github/codeql-action/issues/2117
-  actions: read
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
   contents: read
 
 jobs:
   schedule-scan:
     runs-on: ubuntu-latest
     if: github.repository == 'erlang/otp'
+    permissions:
+      # Required to upload SARIF file to CodeQL.
+      # See: https://github.com/github/codeql-action/issues/2117
+      actions: read
+      # Require writing security events to upload SARIF file to security tab
+      security-events: write
+      # Only need to read contents
+      contents: read
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # ratchet:actions/checkout@v4.2.1
       - name: Create initial pre-release tar
