From d39065943fe3b4bd39214b573d58ab0d32e77aea Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Fri, 24 Jan 2025 13:21:05 +0000
Subject: [PATCH] Add missing permissions

---
 .github/workflows/check-expected-release-files.yml       | 3 +++
 .github/workflows/codescanning-config-cli.yml            | 5 +++++
 .github/workflows/debug-artifacts-failure.yml            | 4 ++++
 .github/workflows/debug-artifacts.yml                    | 4 ++++
 .github/workflows/post-release-mergeback.yml             | 3 +++
 .github/workflows/pr-checks.yml                          | 9 +++++++++
 .github/workflows/python312-windows.yml                  | 2 ++
 .github/workflows/query-filters.yml                      | 2 ++
 .github/workflows/rebuild.yml                            | 3 +++
 .github/workflows/update-bundle.yml                      | 3 +++
 .github/workflows/update-dependencies.yml                | 3 +++
 .github/workflows/update-release-branch.yml              | 8 ++++++++
 .../update-supported-enterprise-server-versions.yml      | 5 ++++-
 13 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/check-expected-release-files.yml b/.github/workflows/check-expected-release-files.yml
index c5d225b410..fd1d7c5ae8 100644
--- a/.github/workflows/check-expected-release-files.yml
+++ b/.github/workflows/check-expected-release-files.yml
@@ -13,6 +13,9 @@ jobs:
   check-expected-release-files:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout CodeQL Action
         uses: actions/checkout@v4
diff --git a/.github/workflows/codescanning-config-cli.yml b/.github/workflows/codescanning-config-cli.yml
index c4cd4eeaa8..9a059a8b16 100644
--- a/.github/workflows/codescanning-config-cli.yml
+++ b/.github/workflows/codescanning-config-cli.yml
@@ -23,6 +23,11 @@ jobs:
   code-scanning-config-tests:
     continue-on-error: true
 
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/debug-artifacts-failure.yml b/.github/workflows/debug-artifacts-failure.yml
index 4efa196511..995071df6a 100644
--- a/.github/workflows/debug-artifacts-failure.yml
+++ b/.github/workflows/debug-artifacts-failure.yml
@@ -23,6 +23,8 @@ jobs:
     continue-on-error: true
     env:
       CODEQL_ACTION_TEST_MODE: true
+    permissions:
+      contents: read
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:
@@ -58,6 +60,8 @@ jobs:
     name: Download and check debug artifacts after failure in analyze
     needs: upload-artifacts
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml
index a8cf710085..2dd0691359 100644
--- a/.github/workflows/debug-artifacts.yml
+++ b/.github/workflows/debug-artifacts.yml
@@ -34,6 +34,8 @@ jobs:
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
@@ -64,6 +66,8 @@ jobs:
     name: Download and check debug artifacts
     needs: upload-artifacts
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Download all artifacts
diff --git a/.github/workflows/post-release-mergeback.yml b/.github/workflows/post-release-mergeback.yml
index f6896fb22b..9b0b35118a 100644
--- a/.github/workflows/post-release-mergeback.yml
+++ b/.github/workflows/post-release-mergeback.yml
@@ -27,6 +27,9 @@ jobs:
       BASE_BRANCH: "${{ github.event.inputs.baseBranch || 'main' }}"
       HEAD_BRANCH: "${{ github.head_ref || github.ref }}"
 
+    permissions:
+      contents: write # needed to create tags and push commits
+
     steps:
       - name: Dump environment
         run: env
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index bd406774b8..676fa65d1d 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -40,6 +40,8 @@ jobs:
   check-node-modules:
     if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check modules up to date
+    permissions:
+      contents: read
     runs-on: macos-latest
     timeout-minutes: 45
 
@@ -51,6 +53,8 @@ jobs:
   check-file-contents:
     if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
     name: Check file contents
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
@@ -81,6 +85,8 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
 
@@ -101,6 +107,9 @@ jobs:
     env:
       BASE_REF: ${{ github.base_ref }}
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@v4
       - id: head-version
diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml
index da5226dc29..b9eba295b7 100644
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -17,6 +17,8 @@ jobs:
     env:
       CODEQL_ACTION_TEST_MODE: true
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: windows-latest
 
     steps:
diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml
index c5a838716c..d562e7d975 100644
--- a/.github/workflows/query-filters.yml
+++ b/.github/workflows/query-filters.yml
@@ -19,6 +19,8 @@ jobs:
   query-filters:
     name: Query Filters Tests
     timeout-minutes: 45
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Check out repository
diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml
index c2dcb2c690..97cac94fbd 100644
--- a/.github/workflows/rebuild.yml
+++ b/.github/workflows/rebuild.yml
@@ -11,6 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.label.name == 'Rebuild'
 
+    permissions:
+      contents: write # needed to push rebuilt commit
+      pull-requests: write # needed to comment on the PR
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/update-bundle.yml b/.github/workflows/update-bundle.yml
index 36a96c7399..73ab6b4141 100644
--- a/.github/workflows/update-bundle.yml
+++ b/.github/workflows/update-bundle.yml
@@ -17,6 +17,9 @@ jobs:
   update-bundle:
     if: github.event.release.prerelease && startsWith(github.event.release.tag_name, 'codeql-bundle-')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull requests
     steps:
       - name: Dump environment
         run: env
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
index 0d24650e05..364dec011f 100644
--- a/.github/workflows/update-dependencies.yml
+++ b/.github/workflows/update-dependencies.yml
@@ -9,6 +9,9 @@ jobs:
     timeout-minutes: 45
     runs-on: macos-latest
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
+    permissions:
+      contents: write # needed to push the updated dependencies
+      pull-requests: write # needed to comment on the PR
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
diff --git a/.github/workflows/update-release-branch.yml b/.github/workflows/update-release-branch.yml
index cac2c67b10..71bd817a79 100644
--- a/.github/workflows/update-release-branch.yml
+++ b/.github/workflows/update-release-branch.yml
@@ -22,6 +22,8 @@ jobs:
       latest_tag: ${{ steps.versions.outputs.latest_tag }}
       backport_source_branch: ${{ steps.branches.outputs.backport_source_branch }}
       backport_target_branches: ${{ steps.branches.outputs.backport_target_branches }}
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v4
       with:
@@ -63,6 +65,9 @@ jobs:
       REPOSITORY: "${{ github.repository }}"
       MAJOR_VERSION: "${{ needs.prepare.outputs.major_version }}"
       LATEST_TAG: "${{ needs.prepare.outputs.latest_tag }}"
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
     steps:
     - uses: actions/checkout@v4
       with:
@@ -114,6 +119,9 @@ jobs:
     env:
       SOURCE_BRANCH: ${{ needs.prepare.outputs.backport_source_branch }}
       TARGET_BRANCH: ${{ matrix.target_branch }}
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
     steps:
     - name: Generate token
       uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755
diff --git a/.github/workflows/update-supported-enterprise-server-versions.yml b/.github/workflows/update-supported-enterprise-server-versions.yml
index 6900101006..5eaa167c36 100644
--- a/.github/workflows/update-supported-enterprise-server-versions.yml
+++ b/.github/workflows/update-supported-enterprise-server-versions.yml
@@ -10,7 +10,10 @@ jobs:
     name: Update Supported Enterprise Server Versions
     timeout-minutes: 45
     runs-on: ubuntu-latest
-    if: ${{ github.repository == 'github/codeql-action' }}
+    if: github.repository == 'github/codeql-action'
+    permissions:
+      contents: write # needed to push commits
+      pull-requests: write # needed to create pull request
 
     steps:
       - name: Setup Python