From fa007a6ab83ceccdb3910b89345d446c3e7c55c6 Mon Sep 17 00:00:00 2001
From: Andrew Alson <83783605+andrewalson@users.noreply.github.com>
Date: Wed, 16 Oct 2024 16:03:29 -0400
Subject: [PATCH] Refactor permissions to reduce attack surface

---
 .github/workflows/codeql-analysis.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index f99aa251a..fe9a149cf 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -16,9 +16,14 @@ on:
     - cron: '27 1 * * 0'
 
 permissions:
-  actions: read
-  contents: read
-  security-events: write
+  statuses: read          # Small reduction of attack
+  checks: read            # Small reduction of attack
+  security-events: write  # Small reduction of attack
+  deployments: read       # Small reduction of attack
+  
+  contents: read          # Large reduction of attack
+  packages: read          # Large reduction of attack
+  actions: none           # Large reduction of attack
 
 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency: