Give Semgrep permission to write its report (#6253)

Previously semgrep had read-all permission. This patch limits read slightly and adds write permissions to security-events.
2025-06-09 14:42:05 +00:00 · 2025-03-07 08:52:54 +08:00 · 2025-03-07 08:52:54 +08:00 · f0a2ae9ff3
commit f0a2ae9ff3
parent f7afa9a81e
1 changed files with 4 additions and 1 deletions
--- a/.github/workflows/sec_sast_semgrep_cron.yml
+++ b/.github/workflows/sec_sast_semgrep_cron.yml
@ -6,7 +6,10 @@ on:
  schedule:
    - cron: 0 1 * * 6

-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  security-events: write

 jobs:
  semgrep-full: