Merge pull request #153 from timvw/fix/codeql-permissions

timvw · web-flow · commit 3f942fc53b59 · 2025-11-26T14:37:09.000+01:00
Add explicit permissions to GitHub workflows
diff --git a/.github/workflows/binaries-check.yml b/.github/workflows/binaries-check.yml
@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_INCREMENTAL: 0
   CARGO_NET_GIT_FETCH_WITH_CLI: true
diff --git a/.github/workflows/test_suite.yml b/.github/workflows/test_suite.yml
@@ -13,6 +13,9 @@ on:
       - 'main'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -22,6 +25,10 @@ jobs:
     if: (github.event_name != 'pull_request' && ! github.event.pull_request.head.repo.fork) || (github.event_name == 'pull_request' && (github.event.pull_request.head.repo.fork || startsWith(github.head_ref, 'dependabot/') || startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'release-plz')))
     name: cargo test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+      statuses: write
     steps:
       - uses: actions/checkout@v6
         with:
