From 378cbbd9317a89a4abf01213200cf582b9baa934 Mon Sep 17 00:00:00 2001 From: nirenjan Date: Mon, 9 Mar 2026 10:34:40 -0700 Subject: [PATCH] ci: Add permissions blocks to action definitions CodeQL identified a medium severity security issue with the action definitions not including a permissions block as required by modern security practices. This change ensures that the majority of the actions force the token to be read-only and not accidentally write content back into the repository. --- .github/workflows/build.yml | 3 +++ .github/workflows/codeql-analysis.yml | 4 ++++ .github/workflows/kernel.yml | 3 +++ .github/workflows/release.yml | 3 +++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4851a09..0fd15a1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,8 @@ name: Build/Test +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 677198a..3880611 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,5 +1,9 @@ name: "CodeQL" +permissions: + contents: read + security-events: write + on: pull_request: # The branches below must be a subset of the branches above diff --git a/.github/workflows/kernel.yml b/.github/workflows/kernel.yml index dc3021a..3d51a0b 100644 --- a/.github/workflows/kernel.yml +++ b/.github/workflows/kernel.yml @@ -1,5 +1,8 @@ name: Kernel Module +permissions: + contents: read + on: push: branches: [ '*' ] diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1c9527..3834871 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,8 @@ name: Create Release +permissions: + contents: write + on: push: tags: