ci: tighten codeql and labeler even more

by moving the read permissions to the top level and
granting additional permissions to the specific jobs.
It should help to prevent new jobs that could be added
there eventually from having write access to resources they
most likely would never need.

2 files changed, 5 insertions, 2 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c003cc5179..460002eaeb 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -20,7 +23,6 @@ jobs:
       cancel-in-progress: true
     permissions:
       actions: read
-      contents: read
       security-events: write
 
     strategy:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 800f8877a3..34d9d63d42 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -9,11 +9,12 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
     - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e
       with: