Set permissions at job level instead.

dlemstra · dlemstra · commit 6cb611476797 · 2026-03-28T09:47:34.000+01:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -8,16 +8,19 @@ on:
     paths:
     - .github/workflows/codeql-analysis.yml
 
+permissions: {}
+
 name: codeql analysis
-permissions:
-  contents: read
-  packages: read
-  security-events: write
 jobs:
   csharp:
     name: CodeQL analysis (C#)
     runs-on: windows-2022
 
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
@@ -51,6 +54,10 @@ jobs:
     name: CodeQL analysis (GitHub Actions)
     runs-on: ubuntu-24.04
 
+    permissions:
+      contents: read
+      security-events: write
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
