ci: set necessary token permissions (#2960)

* ci(fonts): set token permission to remove label I've changed [the default permission of the token to read-only](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/) and this is the only place we need write access. * ci(codeql): set token permission to upload result * ci(codeql): set token permission to read actions
2025-10-05 03:08:40 +00:00 · 2021-04-28 03:41:05 +09:00
parent 7578671f43
commit 008c99b415
2 changed files with 8 additions and 0 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,6 +8,11 @@ on:
  schedule:
    - cron: '0 0 * * 1'

+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/fonts.yml
+++ b/.github/workflows/fonts.yml
@@ -11,6 +11,9 @@ jobs:
    if: contains(github.event.pull_request.labels.*.name, 'build fonts')
    outputs:
      image: ${{ steps.check-image.outputs.result }}
+    permissions:
+      contents: read
+      pull-requests: write # to remove label

    steps:
    - uses: actions/checkout@v2