From 3d7cf23529371a7960ee217c9218f0d92978f84c Mon Sep 17 00:00:00 2001
From: Sebastian Poxhofer <secustor@users.noreply.github.com>
Date: Thu, 21 Sep 2023 21:08:52 +0200
Subject: [PATCH] ci: fix OpenSSF permission token issues (#24580)

---
 .github/workflows/codeql-analysis.yml | 4 +++-
 .github/workflows/devcontainer.yml    | 3 +++
 .github/workflows/update-data.yml     | 6 ++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 305f5a45eb..6e37bdcebe 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,12 +21,14 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  security-events: write
+  contents: read
 
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
     if: github.event.pull_request.draft != true
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
index c310d767a9..983bfc7126 100644
--- a/.github/workflows/devcontainer.yml
+++ b/.github/workflows/devcontainer.yml
@@ -9,6 +9,9 @@ on:
       - reopened
       - ready_for_review
 
+permissions:
+  contents: read
+
 jobs:
   devcontainer-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/update-data.yml b/.github/workflows/update-data.yml
index 2c0f57cf53..d48091e84d 100644
--- a/.github/workflows/update-data.yml
+++ b/.github/workflows/update-data.yml
@@ -8,12 +8,14 @@ env:
   NODE_VERSION: 18
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-data:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
-- 
GitLab