ci: Add permissions blocks to action definitions

CodeQL identified a medium severity security issue with the action definitions not including a permissions block as required by modern security practices. This change ensures that the majority of the actions force the token to be read-only and not accidentally write content back into the repository.
2026-03-09 10:34:40 -07:00 · 2026-03-09 10:34:40 -07:00 · 378cbbd931
parent 47da6e22d1
commit 378cbbd931
4 changed files with 13 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,5 +1,8 @@
 name: Build/Test

+permissions:
+  contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,5 +1,9 @@
 name: "CodeQL"

+permissions:
+  contents: read
+  security-events: write
+
 on:
  pull_request:
    # The branches below must be a subset of the branches above
--- a/.github/workflows/kernel.yml
+++ b/.github/workflows/kernel.yml
@ -1,5 +1,8 @@
 name: Kernel Module

+permissions:
+  contents: read
+
 on:
  push:
    branches: [ '*' ]
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,5 +1,8 @@
 name: Create Release

+permissions:
+  contents: write
+
 on:
  push:
    tags: