From 05e5cebb62183260175f84d908bfb36076d7d1bf Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 11 Sep 2024 01:28:37 +0000
Subject: [PATCH 1/2] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/codeql.yml | 3 +++
 .github/workflows/main.yml   | 3 +++
 .github/workflows/test.yml   | 3 +++
 .github/workflows/vcpkg.yml  | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a05a2df5..b112a92b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,6 +23,9 @@ on:
   schedule:
     - cron: '43 3 * * 3'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (C/C++)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9af1d23b..5c399e15 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,9 @@ on:
       - build/*.targets
       - build/*.yml
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 93b56895..d8710d3f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,9 @@ on:
 env:
   DIRECTXTEX_MEDIA_PATH: ${{ github.workspace }}/Media
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml
index 973548f1..c0bba6b1 100644
--- a/.github/workflows/vcpkg.yml
+++ b/.github/workflows/vcpkg.yml
@@ -15,6 +15,9 @@ on:
       - LICENSE
       - build/*
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}

From 467563a25e9a8c7093e35ae4673fa49c5bf520dc Mon Sep 17 00:00:00 2001
From: Chuck Walbourn <walbourn@users.noreply.github.com>
Date: Tue, 10 Sep 2024 18:33:25 -0700
Subject: [PATCH 2/2] Update codeql.yml

---
 .github/workflows/codeql.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index b112a92b..b159d884 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,7 +32,9 @@ jobs:
     runs-on: windows-latest
     timeout-minutes: 360
     permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
       packages: read
 
     steps: