CI: Improve permissions.

Mugen87 · Mugen87 · commit 91ab089a401e · 2026-04-24T15:17:31.000+02:00
diff --git a/.github/workflows/codeql-code-scanning.yml b/.github/workflows/codeql-code-scanning.yml
@@ -10,6 +10,9 @@ on:
     - cron: '29 23 * * 0'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/report-size.yml b/.github/workflows/report-size.yml
@@ -6,18 +6,20 @@ on:
     types:
       - completed
 
-# This workflow needs to be run with "pull-requests: write" permissions to
-# be able to comment on the pull request. We can't checkout the PR code
-# in this workflow.
-# Reference:
-# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
 permissions:
-  pull-requests: write
+  contents: read
 
 jobs:
   report-size:
     name: Comment on PR
     runs-on: ubuntu-latest
+    # This job needs "pull-requests: write" permissions to be able to comment
+    # on the pull request. We can't checkout the PR code in this workflow.
+    # Reference:
+    # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+    permissions:
+      contents: read
+      pull-requests: write
     if: github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
     steps:
