GitHub Workflows security hardening (#6762)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
2025-10-26 08:42:29 +01:00 · 2023-04-25 16:35:39 +02:00 · 2023-04-25 16:35:39 +02:00 · 80c999cc81
commit 80c999cc81
parent 0ed4950896
2 changed files with 8 additions and 0 deletions
--- a/.github/workflows/main-sonar-check.yml
+++ b/.github/workflows/main-sonar-check.yml
@ -22,6 +22,10 @@ on:
    branches:
      - main

+permissions:
+  contents: read # to fetch code (actions/checkout)
+  pull-requests: write # for sonar to comment on pull-request
+
 jobs:
  build:
    name: Main Sonar JaCoCo Build
--- a/.github/workflows/sonar-check.yml
+++ b/.github/workflows/sonar-check.yml
@ -26,6 +26,10 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read # to fetch code (actions/checkout)
+  pull-requests: write # for sonar to comment on pull-request
+
 jobs:
  build:
    if: github.repository == 'apache/cloudstack'