From 7e85b5d66ae0cf5c6cf731a496c9041c47111b50 Mon Sep 17 00:00:00 2001
From: Chris Gavin <chris@chrisgavin.me>
Date: Thu, 22 Apr 2021 16:59:06 +0100
Subject: [PATCH 1/3] Restrict Actions token permissions in CodeQL workflow.

---
 .github/workflows/codeql.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8d7adfd89..1f05cd018 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,6 +13,9 @@ jobs:
     outputs:
       versions: ${{ steps.compare.outputs.versions }}
 
+    permissions:
+      contents: read
+
     steps:
     - uses: actions/checkout@v2
     - name: Init with default CodeQL bundle from the VM image
@@ -59,6 +62,11 @@ jobs:
         tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+      security-events: write
+
+
     steps:
     - uses: actions/checkout@v2
     - uses: ./init

From 643bc6e3ed4023c8aa385aa042c1e251eb4e49be Mon Sep 17 00:00:00 2001
From: Chris Gavin <chris@chrisgavin.me>
Date: Thu, 22 Apr 2021 17:26:26 +0100
Subject: [PATCH 2/3] Remove spurious blank line.

---
 .github/workflows/codeql.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1f05cd018..acd26f1d7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -66,7 +66,6 @@ jobs:
       contents: read
       security-events: write
 
-
     steps:
     - uses: actions/checkout@v2
     - uses: ./init

From e305db89c2dc1e955b85c2834ce9248044bdfa32 Mon Sep 17 00:00:00 2001
From: Chris Gavin <chris@chrisgavin.me>
Date: Fri, 30 Apr 2021 13:42:00 +0100
Subject: [PATCH 3/3] Fix the token permissions for private copies of the
 CodeQL Action, and for runs that are not from pull requests.

---
 .github/workflows/codeql.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index acd26f1d7..3050dabec 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,7 +14,9 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
     - uses: actions/checkout@v2
@@ -63,6 +65,7 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
+      actions: read
       contents: read
       security-events: write