This PR ensures workflows run with minimal permissions, protecting the project from supply-chain attacks.
The change to codeql.yaml is for consistency and future-proofing: if another job is added to the workflow in the future, it will run with just contents: read instead of write-all.
DPJacques
commented
9 months ago
Fixes #74.
This PR ensures workflows run with minimal permissions, protecting the project from supply-chain attacks.
The change to codeql.yaml is for consistency and future-proofing: if another job is added to the workflow in the future, it will run with just
contents: readinstead ofwrite-all.