[Build] Add explicit job permissions for on-workflow calls

marc-adaptive · marc-adaptive · commit 64ce522f63bd · 2024-07-31T11:39:42.000-04:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,12 +16,20 @@ env:
 jobs:
   ci:
     uses: ./.github/workflows/ci.yml
-
-  codeql:
-    uses: ./.github/workflows/codeql.yml
+    permissions:
+      contents: read
 
   slow:
     uses: ./.github/workflows/slow.yml
+    permissions:
+      contents: read
+
+  codeql:
+    uses: ./.github/workflows/codeql.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
 
   release:
     name: Release java artifacts
