From 4f1d739de55c4e5c4c8e5ce191e2000ec96ef111 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Wed, 18 Sep 2024 10:29:58 +0200
Subject: [PATCH] gha: govulncheck: make sure read permissions are set

If any permission is set, any permission not included in the list is
implicitly set to "none".

see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

The govulncheck check need read permissions, which is not problematic
for public repositories, but may be needed when running in a private
fork (such as those used for security releases).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a4b21e3745..b1a390f564 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -136,6 +136,8 @@ jobs:
     permissions:
       # required to write sarif report
       security-events: write
+      # required to check out the repository
+      contents: read
     steps:
       -
         name: Checkout