From 7d6ec8875cf962b3c1405be5f6c16f1e6d181062 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Tue, 10 Sep 2024 19:05:06 -0700
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#171)

---
 .github/workflows/codeql.yml | 7 ++++++-
 .github/workflows/main.yml   | 3 +++
 .github/workflows/test.yml   | 3 +++
 .github/workflows/vcpkg.yml  | 3 +++
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0d17ff8..6b1cf85 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -21,13 +21,18 @@ on:
   schedule:
     - cron: '19 19 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (C/C++)
     runs-on: windows-latest
     timeout-minutes: 360
     permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
       packages: read
 
     steps:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 424287b..55b4c8d 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -19,6 +19,9 @@ on:
       - build/*.ps1
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 9c8a19e..1eb8fca 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,6 +23,9 @@ env:
   DIRECTXMESH_MEDIA_PATH: ${{ github.workspace }}/Media
   DIRECTXTEX_MEDIA_PATH: ${{ github.workspace }}/Media
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml
index 0e6ecbd..ee171ec 100644
--- a/.github/workflows/vcpkg.yml
+++ b/.github/workflows/vcpkg.yml
@@ -15,6 +15,9 @@ on:
       - LICENSE
       - build/*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}