diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index 87aec4bd24d6..9eba30588dac 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -1,3 +1,8 @@ +name: CodeQL/daily + +permissions: + contents: read + on: schedule: - cron: '0 12 * * 4' @@ -6,11 +11,13 @@ concurrency: group: ${{ github.head_ref-github.workflow || github.run_id }} cancel-in-progress: true + jobs: CodeQL-Build: permissions: security-events: write # for github/codeql-action/analyze to upload SARIF results + pull-requests: read strategy: fail-fast: false diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml index c21542a34e50..a3773944f4b2 100644 --- a/.github/workflows/codeql-push.yml +++ b/.github/workflows/codeql-push.yml @@ -1,5 +1,8 @@ name: CodeQL +permissions: + contents: read + on: push: paths: @@ -12,11 +15,13 @@ concurrency: group: ${{ github.head_ref-github.workflow || github.run_id }} cancel-in-progress: true + jobs: CodeQL-Build: permissions: security-events: write # for github/codeql-action/analyze to upload SARIF results + pull-requests: read strategy: fail-fast: false diff --git a/.github/workflows/envoy-sync.yml b/.github/workflows/envoy-sync.yml index 09fa027d64b9..d24ad17f2253 100644 --- a/.github/workflows/envoy-sync.yml +++ b/.github/workflows/envoy-sync.yml @@ -1,5 +1,8 @@ name: 'Sync downstream' +permissions: + contents: read + on: push: branches: