From ebc54c8cba157277ffadd8d12bb9fc75556d8365 Mon Sep 17 00:00:00 2001
From: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
Date: Sat, 11 Sep 2021 14:24:47 +0800
Subject: [PATCH] ci: restrict GITHUB_TOKEN permissions

Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com>
---
 .github/workflows/continuous-integration.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
index 49a9748b1..cbcc6754c 100644
--- a/.github/workflows/continuous-integration.yaml
+++ b/.github/workflows/continuous-integration.yaml
@@ -8,6 +8,8 @@ on:
     branches:
     - 5.x
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -64,6 +66,9 @@ jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      # See: https://github.com/github/codeql-action/blob/008b2cc71c4cf3401f45919d8eede44a65b4a322/README.md#usage
+      security-events: write
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
@@ -75,4 +80,4 @@ jobs:
         config-file: ./.github/codeql/codeql-config.yml
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
\ No newline at end of file
+      uses: github/codeql-action/analyze@v1