Restrict permissions to github token for workflows (#2821)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
2025-11-18 16:23:30 +02:00
parent f574d6d2be
commit 018a18850c
5 changed files with 22 additions and 11 deletions
--- a/.github/workflows/reusable_workflow_trivy-scan.yaml
+++ b/.github/workflows/reusable_workflow_trivy-scan.yaml
@@ -12,15 +12,15 @@ on:
        type: boolean
        default: false

+permissions:
+  contents: read
+  # needed for trivy scans upload
+  security-events: write
+
 jobs:
  trivy-scan:
    runs-on: ubuntu-latest

-    permissions:
-      contents: read
-      # needed for trivy scans upload
-      security-events: write
-
    steps:
      - name: Checkout code
        uses: actions/checkout@v5