Refactor permissions to reduce attack surface

OpenSourceFellows · Oct 16, 2024 · fa007a6 · fa007a6
1 parent af3a151
commit fa007a6
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -16,9 +16,14 @@ on:
     - cron: '27 1 * * 0'
 
 permissions:
-  actions: read
-  contents: read
-  security-events: write
+  statuses: read          # Small reduction of attack
+  checks: read            # Small reduction of attack
+  security-events: write  # Small reduction of attack
+  deployments: read       # Small reduction of attack
+
+  contents: read          # Large reduction of attack
+  packages: read          # Large reduction of attack
+  actions: none           # Large reduction of attack
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency: