gha: govulncheck: make sure read permissions are set

thaJeztah · thaJeztah · commit 4f1d739de55c · 2024-09-18T10:29:58.000+02:00
If any permission is set, any permission not included in the list is implicitly set to "none". see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions The govulncheck check need read permissions, which is not problematic for public repositories, but may be needed when running in a private fork (such as those used for security releases). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -136,6 +136,8 @@ jobs:
     permissions:
       # required to write sarif report
       security-events: write
+      # required to check out the repository
+      contents: read
     steps:
       -
         name: Checkout

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,8 @@ jobs:`
`136`	`136`	`permissions:`
`137`	`137`	`# required to write sarif report`
`138`	`138`	`security-events: write`
	`139`	`+ # required to check out the repository`
	`140`	`+ contents: read`
`139`	`141`	`steps:`
`140`	`142`	`-`
`141`	`143`	`name: Checkout`